Table of Contents
Introduction
Remember the page that pop-ups while using an app or a website, that you scroll down impatiently to quickly tick the ‘Accept Terms & Conditions, ‘Allow Access’ options- by doing so you allow the concerned company to access your data stored on your device. Sometimes, you consciously give your data like the phone number, account number, personal details to companies to access their services. With increased digitalization and ease of the process, it is inevitable to completely avoid giving our data, and also the companies that take our data must protect it and keep it confidential. The leaking of data makes individuals vulnerable to malware, financial loss, threats to sensitive information, etc. Here, we will discuss what is being called “one of the biggest data breaches in history.”
Data Breach by MobiKwik
MobiKwik, an Indian company founded by Bipin Preet Singh and Upasana Taku in 2009, provides mobile and online payment services; it can be called as a digital wallet. In 2013, the Reserve Bank of India (RBI) authorized the company’s MobiKwik wallet.
Recently, data of around 110 million MobiKwik Indian users have been leaked, among which about 3.5 million users’ KYC, phone numbers, and 100 million users’ bank account details, email IDs, geolocations, etc. have been put on sale on the dark web for merely 1.5-bit coins or approx. Rs. 62 lakhs. It’s a total of 8.2 TB of data that has been breached. The breach was flagged by a cyber security engineer and vigilante hacker Elliot Alderson and Alon Gal, the CTO of the Israeli Security firm, Hudson Rock in a tweet on their accounts with screenshots attached. Initially, in early March, Rajashekhar Rajaharia, an internet security researcher, tried to draw the attention of MobiKwik authorities towards this data breach twice and warned the company to take immediate steps to address the situation and even some users confirmed that their data was being made available online but the company chose to ignore it and threatened Rajashekhar to take legal action and called him ‘media crazed’.
However, MobiKwik’s attitude towards this had been very lax and the company initially denied all allegations that they found no breach even after investigations. After the news gained media attention, it claimed that the data was removed from the website and hackers claimed to have deleted the data from their servers. But there is no way to verify this and also, the company refused to take any responsibility for the targeted users.
About Data Breach
Data, as given in the Personal Data Protection bill of India, includes- a representation of information, facts, concepts, opinions, or instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means. And, personal data includes data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute, or any other feature of the identity of such person, whether online or offline, or any combination of such features with any other information, and includes any inference from such data for profiling. So, when any unauthorized user discloses, acquires shares, alters, destructs, or loses access to, compromises confidentiality, the integrity of such data, they are said to have committed a data breach. In short, according to the Cambridge dictionary, when private information can be seen by people, who should not see it, data breach happens.
The data that is breached is often made available on the dark web-also called the dark net, which is encrypted online content that is not managed by conventional search engines like Google, Yahoo, etc. It is a part of the deep web which includes many other services like online banking, paying, etc., and whose websites do not appear on the conventional search engines. It is being used as a medium for carrying out illegal activities like child abuse, murder, etc., and unethical transactions as it offers a high level of anonymity for the users, and crypto currencies are generally used there to carry out the transactions and there is no strong regulatory law for the crypto currency. The irony is, if the dark web offers high privacy to individuals, it is also highly used to breach other individuals’ privacy and sensitive information like photos, bank account numbers, passwords, etc. are stolen and used unethically.
Some Big Data Breaches
These incidents of a data breach are not sudden and slowly have become more-n-more frequent. In 2016, 412.2 million users’ data including passwords, emails, photos, was stolen from a casual hookup site named Adult Friend Finder. The production servers that the company was using got exploited by the hackers. In 2012 and 2016, 165 million users’ data was breached from the social networking site of business professionals, LinkedIn by a Russian hacker. Then, in 2014-18, a Chinese intelligence group stole data that includes passport numbers, credit card numbers among others, of 500 million customers of Marriott International. Further, in 2013-2014, 3 billion users of Yahoo became a victim of what is called the “biggest data breach in history.” Last but not least, in March 2020, 538 million users of China’s Twitter alternative Sina Weibo became vulnerable to data breach and the breached data was put for sale on dark web markets for 1,799 Yen.
Legal Developments related to Data Privacy
The Hon’ble SC of India in K.S Puttaswamy and Another v. UOI and Others (2017) 10 SCC 1, held that the Right to Privacy is a fundamental right under Article 21 of the Indian Constitution. The court stated that every individual has the right to control their commercial identity and to exclusively use and control their identity, personal information, other related information on the internet and to allow others to use that personal data for a limited purpose only. That means an individual has a fundamental right to determine how, where and to what extent their data can be used. These increasing numbers of data breaches violate as well as are a threat to the Right to Privacy of individuals.
It’s not that efforts have not been made to secure the privacy of individuals. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, aims to safeguard the personal and sensitive data of individuals. Under these rules, it is compulsory to disclose the purpose and usage of the collected information in clear and unambiguous terms and that the purpose should only be a lawful and absolutely necessary one. Permission should be taken from concerned individuals before disclosing or sharing their personal information to a third party except under certain legal usage. The major setback of these rules is their improper implementation as well as insufficient penalty and these apply only to corporate bodies within India.
There are certain section of IT Act, 2000, that seeks to protect the privacy of individuals like- Section 43,66 (punishment for hacking), Section 66E (imprisonment for violation of privacy), Section 72A (penalize for unauthorized use of personal data) etc. But, what the legal system of India lacks is a law solely dedicated to preserving data privacy and proper implementation.
A positive effort towards this direction is Personal Data Protection Bill, 2019 (PDP Bill), which is based on the draft proposed by B.N Srikrishna Committee. This bill is an alternative for Section 43A of the IT act and will repeal it. This bill is not only applicable to persons in India but also to persons outside India that carry out their business in India. It also seeks to establish a Data Protection Authority of India that will be dealt with issues about data security. Organizations that deal with the personal data of individuals have to follow certain rules like taking consent of individuals for using their data, appointing a Data Protection Officer by the Significant Data Fiduciary, setting up a grievance redressal mechanism, reviewing and updating their policies concerning data protection, etc. The Bill includes the penalties such a fine of Rs. 5 crores or 2% of worldwide turnover for minor violations and Rs 15 crore or 4% of total worldwide turnover for more serious violations.
However, this bill has not been enacted and how it will be implemented remains to be seen.
RBI’s stance on the issue
MobiKwik has faced a lot of criticism for the kind of response it gave to the data breach incident. RBI has asked the company to investigate the data breach and find the real cause. RBI has also warned that if any lapses are found from the company side, it will have to face serious actions and also RBI has the authority to fine online payment service providers of minimum Rs. 5, 00,000. MobiKwik has been ordered by RBI to carry out a third-party forensic audit at the earliest by a CERT-IN (Indian Computer Emergency Response Team) and submit reports at the earliest.
Further, there has been a surge in complaints to the RBI related to funding transfers and UPI transactions. In March 2021, under the directions from RBI, banking regulators came up with prescriptive guidelines for digital transaction security and these will be implemented within 06 months. Under these rules, you have to enter your name, card number, and expiry date, every time you make an online payment, which means instead of just entering your CVV, you have to enter all card details again and third parties would not be allowed to store the card details. The banking and non-financial companies are required to conduct a regular vulnerability test of their system, adopt the highest standards of security to avoid data breaches, and provide a safe-n-secure environment for digital payments. For mobile applications, RBI has specified that they have to come up with a better authentication tool for a transaction other than the one-time-password authentication. The Reconciliation process of transactions should follow a near-real-time framework that ensures all stakeholders are provided necessary information about a transaction within 24 hours. Banks and Non-banking financial companies are required to have a specific section regarding digital payment products that deal with the procedure of lodging complaints. The web pages that provide digital payments, have to ensure that sensitive information of customers is not stored in HTML fields, cookies, or any other client-side storage.
However, some companies like NASSCOM, Amazon, etc. Have raised concerns over these rules stating that these will hamper the process of online payment, resolution of complaints, etc.
Conclusion
There is no skepticism about how important could be an individual’s private data, and presently it has become inevitable to not give our personal information as managing and regulating our financial, health, business, etc. works require these data, so expecting a proper and strict regulating system from the companies is legitimate and holding them accountable is necessary. Efforts have been made to prevent data breaches but still, our legal system lacks the kind of strictness and strongness needed to tackle the notoriousness of the dark web and hackers.
REFERENCES
- https://timesofindia.indiatimes.com/business/india-business/rbi-orders-MobiKwik-to-probe-alleged-data-leak-report/articleshow/81858618.cms
- https://www.thehindubusinessline.com/info-tech/data-of-35-m-MobiKwik-users-allegedly-hacked/article34192591.ece
- K.S Puttaswamy and Another vs UOI and Others (2017) 10 SCC 1
- https://www.lawctopus.com/academike/right-to-privacy-on-the-internet/
This article is authored by Meghna Pareek, Student at Institute of Law, Nirma University.
