Recently, security researcher Rajashekhar Rajaharia thought he was doing his duty when twice — on February 26 and March 4 — he tried to draw the attention of the Mobikwik management to what many believe is the largest ever data hack in Indian history. As a provider of a mobile phone-based payment system and digital wallet, Mobikwik deals with millions of customers’ data, including sensitive personal information. All that Rajashekhar wanted was for the company to inform the users of the breach and the steps taken to address the situation. He was responding to a hacker who claimed to have access to more than 100 million cardholder details from the Mobikwik client data. What he was not prepared for was the counterattack by the company who called him “media crazed” and also stated that they would be taking legal action against him.
Soon there was independent corroboration from the anonymous hacker handle Elliot Alderson and Alon Gal, the CTO of the Israeli Security firm, Hudson Rock who maintained that this was the largest KYC breach in India ever. It should have been a bummer for anyone using a Tor browser to surf the dark web that an enormous collection of data including KYC of 3.5 million people, phone numbers and bank details of almost 100 million individuals and, in some cases, even geolocation data has been put up for sale for a measly 1.5 bitcoins or approximately rupees 62 lakh. As more and more users found that their data was available online, the company maintained its brazen stand that no data was leaked from its database and its CEO went on Twitter to harp about the “made in India” mark of the business which had nothing to do with data security. He went on to further claim that the data leak could have happened from some other platforms.The cause for worry also lies in the fact that the anonymous hacker who has posted this data claims that the KYC details were used to successfully take micro loans. In the absence of the company owning up to the data breach and informing all the users whose data has been put out, there can be an avalanche of such micro loans that can be taken out with the burden falling on the user who may not even be aware of the breach.
This raises the pertinent issue of the presence of the regulatory ecosystem and intervention in such a scenario where security experts claim a major breach while the entity in question denies it. Reports of the Reserve Bank of India asking Mobikwik to investigate the matter have come in, but it is much too late. CERT-In, the national nodal agency for responding to computer security incidents as and when they occur, should have authorized an independent audit immediately to trace the breach and take corrective measures. Mobikwik is in the process of coming out with its Initial Public Offering and it is understandable that they would like to avoid negative publicity. So, even the Ministry of Corporate Affairs should have investigated the reported leak and put the IPO on hold if the data breaches are actually true.
Over the last year, the need for quick passage of the Personal Data Protection Bill 2019 (PDPB) has been raised many times to address similar situations. That is because under the present set of laws, data breach cannot be effectively penalised if the company decides to brazen it out and the government is not willing to hold the bull by the horn. True that Section 43(A) of the Information Technology Amendment Act 2008 and the relevant Rules notified in April 2011 can be used to hold the company to account as “whenever a company deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.” Similarly the company can be held negligent under Section 72 of the same IT Act. Even the IPC offers some protection for the user under ‘Breach of Trust’. But all these are sufficiently arduous processes and the easiest solution to start with would be to make the breach public and ask the affected individuals to modify their bank details.
It is time for the government to take immediate cognizance of the growing value of data security and take steps to protect user data bypassing the PDPB at the earliest. Furthermore, let the messenger not be shot. Cybersecurity is a cooperative exercise and the institutions tasked with the job have to not just perform their jobs but also be seen to be performing their jobs. A little transparency will go a long way.