data theft

This article has been written by Harihar K, pursuing a Privacy Technologist Training Program from SkillArbitrage and edited by Shashwat Kaushik.

Introduction

The year was 1993, when the world was just waking up to get blanketed by the new phenomenon of the internet. In just three years, there were over 77 million active users of the internet in 1996. Today, surpassing the phase where humans use the internet, we have built multitudes of gadgets that use and entirely depend on the internet, which we call the Internet of Things (IoT). Smart devices are all over the place and are an inherent part of our personal and professional spheres. They let us monitor situations and parameters through other viewing devices that can be voice-activated. These devices, constantly linked to the internet, collect, store, and may even transmit personal data without consent. Without robust network security, they can be exploited by hackers, who may target them with malware. They, hence, pose pronounced threats to privacy and data breaches by cybercriminals. This article will present the risks involved in data security and the losses that are incurred in the event of a data theft.

Trends in IoT cyberattacks

Over the past decade, the variety of IoT devices being developed has become harder to count day by day. As humanity envisions designing smart homes, smarter cities, and intelligent industrial spaces, we seek to capture data in as many ways as possible. With that being the underlying idea, numerous domestic, medical, and industrial devices are hitting the market each year. While they are used for an array of applications, their commonality lies in their single purpose of making our lives more and more convenient. It is making our homes, work environments, and public places intelligent.

Download Now

IoT devices connected to the internet and clouds constantly gather data and interact with other accessible devices in the network. While 7 billion active IoT devices are already in use worldwide, the projected growth numbers are only staggering at 20 billion devices by 2025. This is 17% year-on-year growth in the last 5 years. This enormous growth also comes at the price of data security.

While on the one hand, we have numerous cases of IoT-focused cyber attacks, on the other hand, there is an ongoing pursuit in this area to safeguard against cyber criminals. We will be amused if we analyse the kinds of devices involved in the security incidents in 2023. They range from the most obvious ones, like smart TVs, smart wearables, and smart speakers, to the devices we most likely take for granted, like security cameras, fax machines, LED smart bulbs and even coffee vending machines. In a sensational incident in the US, a top e-commerce major faced a class action lawsuit for multiple hacking events in the security camera models it sold. The aftermath analyses of the incidents pointed to several risk factors involved with the devices permitting unauthorised access to the user’s Wi-Fi network and even other devices linked to that network! The company’s similar products came under the scanner for other critical dangers of letting the hackers access the device’s recorded footage.

Vulnerabilities of data theft

The year 2023 saw one of the most destructive data breaches from cyber-attacks that let out over 6 billion records of data. The biggest single incident in 2023 was in the UK, where nearly 4 billion records were breached. In a publicly disclosed data security incident concerning an attack on a popular parental control mobile application in the UK, 300 million records of parents and children were compromised. The stolen records usually involve names, emails and email attachments, phone numbers, employee IDs, and more. These are sensitive pieces of information that we ought to safeguard, even in a non-digital world. Exposed personal data has the risk of being used for subsequent phishing attacks on emails and mobile phones. Some criminals may sell the stolen data on the Dark Web, which has other grave dangers of being used for targeted online blackmailing, extortion or even identity theft and impersonation on social media.

Monetary loss

A cyber-attack comes at a heavy price, both for the data loss per record lost and for upgrading the data security to prevent future attacks. By analysing breach data from 16 countries belonging to over 550 entities that faced security incidents, it has been observed that an average data breach costs $4.45 million in 2023 and has been escalating like never before. In the case of a ransomware breach, the average total cost is the highest at $5.13 million in 2023. The biggest breach in 2023 had a record-high breach cost of $332 million. These costs will be reduced by an average of $1.76 million when using security AI and automation. It has been identified that organisations with incident response teams that specialise in quickly responding to cyber-attacks have helped prevent several breaches successfully. Implementing incident response plans has seen positive impacts in how much they save in subsequent damage costs, which are huge.

Apart from these, there are other costs that the companies will have to bear for inadequate security measures. Many nations, to streamline data protection and inculcate its seriousness, have been imposing hefty fines for non-compliance with data regulations. These fines can depend on the type of violations the companies committed. Over the past few years, many well-known brands have been in the headlines for having to bear these costs. Some of the most popular brands with the largest market capitalisations have failed at least once to safeguard public data. A Chinese social media supergiant reportedly faced a whopping fine of over $400 million in 2021 by Irish authorities. The company was fined for non-compliance with the European GDPR law concerning how it processed the children’s data. The users of its smartphone application were not verified for their age upon signing up, leading to age-restricted content being accessible to children.

Non-monetary loss

In the age of information, what could be scarier than a stranger having access to details of your name, social identification numbers, employment details, residential address and even worse, your banking details? While the companies are already struggling with the financial losses from such incidents, they also deal with data loss and reputation damage. For an established brand or a start-up, the biggest concern in these situations would be the damage they cause to customer trust and confidence, which is challenging to earn back easily.

According to a recent survey by Irdeto, a cyber security services company, of the organisations that faced IoT-based cyber security incidents, 90% confirmed some forms of damage from these incidents. While we face financial impacts from non-compliance and may invariably upgrade our data security after an incident, the loss of data is not entirely repairable. If the data breaches are of households, then the individuals are directly exposed to the risks of other forms of attempts at manipulation by fraudsters who stole such records.

Securing tomorrow

The frequency and rates at which data security incidents have been unfolding in the past few years have evoked a sense of urgency among countries, governments, and digital lawmakers for escalating data security. As the number of incidents is on the rise, the cost of data security, owing to the infrastructure needed to be better equipped, is skyrocketing. Even though it takes time to identify a data breach, it is possible to learn about them early on if we are vigilant enough. It has been found that the average time for detecting a breach is more than 204 days. Further, this takes close to 3 months to resolve, especially if there has been an instance of compromised passwords. These efforts are further amplified when the data is processed in a cloud environment. It is only through a better understanding of data security laws, threat detection methods, and incident response tools that we can ever minimise these losses.

The strategies to prevent these incidents fail mainly because of a lack of seriousness and the education needed to fully understand the risks they pose. Companies must impart internet security knowledge transfers and mock drills to not fall prey to phishing attacks while at work. Any insecure network is paving the way for illicit access. Maintaining secure passwords, having strong network protocols, fostering robust authentication methods, using software with updated security, and enabling secure data storage alone can help one protect themselves from IoT data breaches.

Data theft laws in India

India has several laws and regulations in place to protect against data theft. These laws and regulations aim to safeguard individuals’ personal information, prevent unauthorised access to sensitive data, and ensure that organisations handle personal d ata responsibly.

1. Information Technology Act, 2000 (IT Act):

  • The IT Act is the primary law governing information technology, including data protection, in India.
  • Section 43A of the IT Act criminalises unauthorised access, modification, deletion, or destruction of computer systems or data.
  • Section 66C of the IT Act prohibits identity theft and impersonation.
  • Section 72A of the IT Act provides for the protection of sensitive personal information (SPIs) and requires organisations to obtain individuals’ consent before collecting, using, or disclosing their SPIs.

2. The Personal Data Protection Bill, 2019:

  • The Personal Data Protection Bill, 2019 is a proposed comprehensive law that aims to regulate the processing of personal data by organisations in India.
  • The Bill introduces the concept of data fiduciaries, who are responsible for protecting personal data in their possession or control.
  • The Bill also includes provisions for data subject rights, such as the right to access, rectify, erase, and port personal data.

3. The Reserve Bank of India (RBI) Guidelines on Information Security, 2016:

  • The 2016 RBI Guidelines on Information Security require banks and other financial institutions to implement robust information security measures to protect customer data.
  • These guidelines include requirements for data encryption, access control, incident response, and security audits.

4. The Telecom Regulatory Authority of India (TRAI) Regulations on Privacy and Security, 2011:

  • The TRAI Regulations on Privacy and Security, 2011 set out requirements for telecommunications service providers to protect customer data.
  • These regulations include requirements for data encryption, access control, and incident response.

5. The Indian Computer Emergency Response Team (CERT-In) Guidelines:

  • CERT-In is the nodal agency responsible for cybersecurity in India.
  • CERT-In issues guidelines and advisories on cybersecurity best practices, including guidance on data protection.

6. The National Critical Information Infrastructure Protection Centre (NCIIPC):

  • The NCIIPC is responsible for protecting critical information infrastructure in India.
  • The NCIIPC has issued guidelines and standards for the protection of critical information infrastructure, including data protection.

These laws and regulations provide a framework for organisations to protect data from theft and misuse. Organisations must comply with these laws and regulations to ensure that they are handling personal data in a responsible manner.

Data theft cases in India

In India, there have been several significant data theft cases that have raised concerns about cybersecurity and privacy. These cases highlight the need for robust data protection measures and the importance of raising awareness among individuals and organisations about the risks associated with data breaches. Here are some notable landmark data theft cases in India:

  1. Aadhaar data breach:
    • In 2018, a breach of the Aadhaar database exposed the personal information of millions of Indian citizens. This included sensitive data like names, addresses, fingerprints, and biometric details.
    • The breach raised questions about the security of the Aadhaar system and prompted a Supreme Court ruling that limited the use of Aadhaar for government schemes and services.
  2. Paytm data breach:
    • In 2020, Paytm, a leading digital payments company in India, reported that some of its user data had been compromised.
    • The breach affected over 3.5 million users, exposing their personal information, including names, phone numbers, and email addresses.
    • The incident highlighted the vulnerabilities of digital platforms and the need for stronger authentication mechanisms.
  3. COVID-19 vaccine registration data breach:
    • In 2021, a data breach occurred during the COVID-19 vaccine registration process in India.
    • The breach exposed the personal information of over 100 million individuals, including names, addresses, and phone numbers.
    • The incident raised concerns about the management of sensitive data during public health emergencies and the need for better data protection protocols.
  4. Air India data breach:
    • In 2021, Air India reported a data breach that affected over 4.5 million passengers.
    • The breach exposed sensitive information, including passport numbers, credit card details, and frequent flyer program details.
    • The incident highlighted the importance of securing airline passenger data and implementing robust cybersecurity measures.
  5. Maharashtra Government data breach:
    • In 2022, a data breach occurred in the Maharashtra government’s IT infrastructure.
    • The breach exposed the personal information of over 7 million citizens, including names, addresses, and Aadhaar numbers.
    • The incident underlined the need for government agencies to adopt rigorous data protection standards and invest in cybersecurity measures.

These landmark data theft cases in India underscore the urgent need for stringent data protection laws, robust cybersecurity measures, and heightened awareness about data privacy. Strengthening data protection frameworks and implementing comprehensive cybersecurity strategies are crucial to safeguarding sensitive personal information and preventing future data breaches.

Conclusion

Despite knowing the vulnerabilities of IoT devices, most businesses that suffered cyber-attacks had no clear plan for handling them and lacked comprehensive techniques to be secure. Now that the countries are lining up with their own data security and privacy policies, it is the need of the hour for institutions to seek collaboration with technology experts and legally sound policymakers to always be on the watch for threats and stay on guard.

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here