For CTO’s, CISO’, the message is straight and clear ‘Prioritising data protection be the most import pillar of foundation to consider for operations and business continuity, not an afterthought.
A survey by PWC, ‘2024 Global Digital Trust Insights’ on cyber risk perspective highlighted in the beginning of 2024 that over next 12 months, Indian organisations will take consideration around cloud-related threats (52%), attacks on connected devices (45%), hack-and-leak operations (36%) and software supply-chain compromise (35%).
Laws on Cyber security and Data protection
Over the years laws have changed and been made as per requirement like Digital Personal Data Protection Act, 2023 (DPDP Act) for personal data breaches, the Aadhaar Act, 2016, and its rules and sector-specific regulations from the RBI, SEBI, etc.
On event of personal data breaches, the DPDP Act requires entities processing personal data to notify the Data Protection Board of India.
- The DPDP should inform and each affected individual in the event of a ‘personal data breach’. But do we see that happening or are the public aware about the laws that can help protect their sensitive information or retrieve them back in event of any hack..
- There are lapses and raising cyber awareness is prime aim along with having co-operation from law enforcement agencies and compliance that carries legal obligation to perform and secure data.
- One of major aspects covered by this legislation is the extent of use of personal data obtained by any business or entity and give authority to the individual whose data is collected to consent, edit and or make corrections in their data.
As per CERT ACT of 2022, any high-priority cyber security incident like ransomware attacks and data breaches be reported within the 6-hours of incident.
Lets dig in to view few of the major breaches that targeted Indian institutions in the year2024.
- Angel One data breach, a Mumbai-based stock brokerage firm, reported their 8 million customers suffered a data breach. The hacker exposed Personally Identifiable Information (“PII”) like customers’ names, addresses, contact numbers, and bank account details on a hacker forum.
- Indian internet service provider Hathway experienced a data breach impacting approx 4 million users. The breach occurred when a hacker exploited a security vulnerability in the hathway content management system and exploited KYC details on 8 jan 2024.(source Hack Read)
- Bleeping computers revealed how a vulnerability in Trello’s API helped hackers to access and match public Trello’s users profiles exposing 15 million email ids.
- As per Bank info security a major data leak exposed the personal information of medical records of CoronaLab. Data was accidentally left unsecured online for two weeks and reason for exposure of major patient’s data.
- Business standard reported of a major breach affecting fintech Motilal Oswal Financial Services (MOFSL), a prominent Indian brokerage firm. LockBit ransomware gang notified the dark web successfull infiltration on their systems, compromising what they referred to as “confidential data” belonging to more than 6 million clients. This breach had the potential to expose a wealth of sensitive information, encompassing names, addresses, contact details etc posing a potential risk to the affected individuals’ personal information.
- BSNL, the Indian telecom Govt entity suffered another data breach, marking its second in just six months. This latest breach resulted in the exposure of a massive 278GB of user information, sparking profound worries regarding customer privacy. The data included sensitive details such as phone numbers and internal server information.
- The very popular remote meet software and provider for software TeamViewer, was breached and their internal system breached in June 2024 as per Hackers news. Hackers infiltrated a compromised employee account, potentially accessing internal information like employee names, contact details, and even encrypted passwords.
- In July 2024 Wazir X the Indian cryptocurrency exchange reported a security breach leading to the loss of over $230 million in digital assets. Hacker from North Korean cybercrime group, exploited vulnerability in the exchange’s multi-signature wallet system of Wazirx and broke multiple security protocols as per The Register. A blockchain firm analysed the movement of stolen funds and subsequent money laundering attempts
- The latest data leak in India’s S-400 missile defense system has triggered national security concerns. The leaked data, originating from hacked emails of Russian military officials, exposes the specific configuration of the advanced weapon system procured from Russia.(source CNET)
- In August DurexIndia was hit by significant data breach where customers’ personal and intimate details got leaked. Durex India is still investigating the incident and taking steps to mitigate any potential harm to affected customers. They have advised customers to be vigilant for signs of identity theft and report any suspicious activity immediately.
- The most expensive breach that claimed data breach from Star Health Insurance by a hacker named xenZen , who claims to hack about 31 million customers. The hacker claimed to have purchased it from Star Health’s Chief Information Security Officer (CISO), Amarjeet Khanuja. The breach raised concerns over the integrity of data protection measures at major institutions like Insurance.
What we require most address cyber security gaps?
There are gaps and vulnerabilities and to address these we require a robust data protection legislation that ensures rights of citizen who can have clear guidelines, regulations, and enforcement mechanisms to safeguard personal information and the protocol remains same for organization.
- Whenever require hold entities accountable for any lapses in cyber security protocols.
- Build dedicated agencies and initiatives to counter insufficient resources require to build a safe cyber security environment.
- Organizational measure such as designing breach prevention strategies based on detailed risk assessments.
- As per remedial measures documenting each and every detail before and after the incident and after the breach is kept under control an in-depth assessment and audit must be conducted.
- For legal mandates, organisations are proactive in adopting a comprehensive approach, including preventive measures that secure data to prevent breaches, an incident response plan to swiftly address them and mitigation thereafter.
