Data breach issues in recent times. How are tech companies a target?
The next warfare will not be on Sea, Air or Land but on CyberSpace. There may not be Generals preparing War Strategies or Tanks rolling on the ground to hit targets nor gung-ho Infantry soldiers on the ground who will be facing direct enemy automatic fire.
Instead, there will be a group of nerds wearing cool sweatshirts and pants with a diet coke and some Nachos on their desk along with their Arsenal of Computers and Electrical devices. Today a computer with an internet connection is enough to disrupt a country’s economy.
In this era of mammoth corporations and industries, many companies are targeted by hackers as they are the Gold Mine of Data. The definition of Data includes everything that belongs to an individual or a Company like an Email ID, Address, Personal Documents, Name, Age, Biometrics, Chat logs etc. Hackers target them as they are sitting ducks, due to loopholes in servers or weak cyber security. Once such data is in the wrong hands it can create havoc like using it for illicit activities.
Companies like Apple, Amazon, Google, Microsoft and other elite companies of Silicon Valley all have a history of getting hacked.
In this article, we shall look into one of India’s biggest Unicorn EdTech firm ‘Byju’s’. How their servers have been breached not once but twice all during this Coronavirus-induced pandemic from 2020-2021. How Data in the wrong hands could disrupt a country’s economy or individuals’ privacy. What are the parties involved in the Cloud-Based Environment? Who will be liable for the breach? Personal Protection Bill 2019 of India. Definitions of Data under Indian and European laws context. Measures to be taken by companies to prevent and mitigate. Legal recourse in case of a breach and creating Cyber Security awareness among netizens.
Its raining unicorns in India
It’s been more than one year and the pandemic has made us stick to our homes as bunkers for soldiers during the war. But this virus has not affected the startup ecosystem in India, they are still emerging big with bright ideas and solutions to offer. Since 2020 there is a rise and shift in Indian Unicorns. The phrases ‘It’s raining unicorns for India’ and ‘India’s unicorn party is just getting started’ were everywhere in the media. This year 2021 the Indian Startup Ecosystem has seen 14 startups entering the elite class of Unicorn which includes Cred, Groww, Meesho, Pharmeasy to name a few. Byjus an Edtech platform that provides online coaching for students from Grade 5 to various coveted competitive exams like IAS, JEE & NEET, upgraded into Unicorn class in 2020 third after Paytm and OYO Rooms. But in 2021 along with an increase in counts of Unicorns, Byjus directly jumped from third to first biggest unicorn in India.
There is almost no Indian who doesn’t know Byjus, as they have a huge marketing budget. Their TV commercials aired with Film Industry’s seasoned actors like Shah Rukh Khan, Mohan Lal and Sports Tycoon like Virat Kohli. Indian cricket teams one of the many sponsors include Byjus and their Blue Jersey is engraved on the front with their initials.
Byju’s today being mammoth and second to none in the Education industry has recently made a huge controversy as their servers faced a Data Breach of its customers in June 2021. Let us discuss the series of data breach incidents that happened with Byjus within a span of 1 Year, From 2020-2021?
Byjus faced its first data breach in November 2020 followed by June 2021 breach.
November 2020 data breach
Data of White Hat Junior newly acquired by Byjus was breached. An independent cyber security researcher who doesn’t want to be named reported to the company that a server containing users Email, Name, Address, Age, Phone Number, Chat logs, user’s parent’s data and staff chats were lying unsecured and open to anyone to see, copy or download.
Company’s collect user’s data. This data is used to verify for registration and authentication on their portal. Data not only includes these but also Voice/Chat logs between students/parents and teachers, users most watched lesson/videos etc. Such data are stored either on the company’s server or a third-party cloud service provider which manages the data of the company.
June 2021 data breach
This breach was a slap to the face of this Unicorn, as this is the second consecutive breach faced by Byjus. The previous lesson wasn’t sufficient and ignored the cyber security lessons which they teach to their students in their courses.
This breach was reported in June which was open at least since 14th June 2021 as reported by Mr. Anurag Sen a Cyber Security researcher by profession. Byjus depends on Bengaluru-based startup ‘Salesken.ai’ which is an AI Customer Relationship Management services provider, for its Customer Service Management. Now as CRM is one of the prominent factors which moves the business used in business development. They collect customers data like voice and chat logs and use it to track customers’ behavior and use it to cater to them services and offers. The data include everything from Email, Address, Age, chats, mobile number etc. Most of the data was of Whitehat Junior, newly acquired by Byjus.
Now one of the servers was unprotected without any security encryption or password and open to anyone to copy the data. More than 20 thousand user’s data was breached. Salesken claims that there wasn’t any breach as it was an open-source and staging server meaning, not the actual one where real data is stored.
Byjus which gives lessons on the Data breaches and the country’s new PDP bill have themselves been breached not once but twice. If an EdTech giant can face this then any simpleton is vulnerable to this. This is not the only company but there are many Big ones like Apple, Amazon, Google and Microsoft who had the same plight.
What can be done with data?
In the Cyber Space, there is a saying ‘Data is the new oil’. Today with data under one’s fingertips is more terrifying than the Monopoly of Oil. Human’s daily shores and uses involve some or the other electronic device. From Mobile journaling to photography, shopping to repair services, we have technology and applications for everything.
Websites and applications like Facebook, Zomato, BigBasket, Dominos all are free to download and use. Now social media websites like Facebook, Gmail to name a few are totally free to users. At least that’s what they claim. In Legal Language there is the Latin term ‘Quid Pro Quo’ meaning ‘Favor for a Favor’, this applies in the cyberspace too where social media companies claim to be free but they take our data in return. We must have seen while installing an application on our phones that its mandatory to grant permission to allow them access our phone to use the services.
We grant permission by accepting the Terms and Conditions of the application without even reading it. If you check what all permissions are granted, we can see that they have access to our SMS, Calls, Photos, System, Camera, and Microphone.
By just using it we have agreed and granted access to our phone’s complete data. Today only an email and phone number are enough to hack into one’s social media account. With such data, the hacker can use it to clone ATM cards, use phone numbers and Email Ids to commit financial frauds or other illicit activities. With a company’s compromised Data, the hacker can use the contact details to contact users and harass them, use it for fraudulent purposes or rival companies using it.
Parties involved in a cloud-based environment?
Byjus and many other startups depend on cloud-based services to store and manage data viz- Amazon AWS, IBM cloud, Microsoft Azure Cloud Storage etc. Byju’s uses Amazon AWS or Amazon Web Service as their cloud services partner.
Now there are three parties involved-
- End Customer or User of the service
- Data Owner– services/products provider like Byjus, Flipkart, Pepperfry
- Data Holder– third-party cloud service provider, like Amazon AWS, IBM Cloud, Microsoft Azure Cloud Storage
Now Salesken comes under ‘Data Holder’ although they are not a cloud services provider but an AI-based CRM or Sales software.
Who is liable for the breach?
In cloud environment breaches, under US law the Data Owner or the Commercial Services provider are liable even if it’s a mistake of the Data Holder or Cloud service provider. Because Data Holder is a vendor and they are bound by Standard Vendor Agreement Contracts where consequential damages (i.e. Indirect or Special Damages or Loss of Product or Loss of Profit or Revenue) are excluded and only cap direct damages.
In the Indian context, currently, there are no specific provisions for ‘Data’. There are no provisions specifically for Data Breach in the IT Act 2000 except Section 43 A but since this act was enacted in 2000 the scope and use of this act is very limited. But a separate law i.e., ‘PDP Personal Data Protection Bill’ is on the table for framing. This will be a separate law specifically for Data Protection.
PDP Bill 2019
This bill was introduced in Lok Sabha on December 11th, 2019 by Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology. This bill amends the Information Technology Act 2000 to delete the provision of compensation payable by Companies for failure to protect personal data.
It categorizes Data into various subgroups like Biometric Data, Financial Data, Sensitive Personal Data, Genetic Data, Health Data and accordingly, penalizes defaulters. Rights of Data Principal i.e. Natural Person whom the personal data relates includes i) Obtain confirmation from the fiduciary on whether their personal data has been processed ii) seek correction of inaccurate, incomplete, or out-of-date personal data and others.
Data can be processed by a fiduciary only if consent is provided by individuals. Exceptions being by the State for providing services, legal or medical proceedings.
Right to privacy case
It was Justice Puttaswamy’s landmark judgement in August 2017 (Justice K.S Puttaswamy & another Vs. Union of India) which recognized the Right to Privacy as a fundamental right under Article 21- Right to Life and Personal Liberty in the Indian Constitution.
When an individual’s data is breached his privacy is also breached. As data contains an individual’s personal information which can be used as leverage. This judgement protects victims of data breach and gives rights to citizens.
Definitions of DATA under legal instruments
Under Indian context, the Information Technology or IT act 2000– Section 2(1)(o)– “data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;
The European Union’s GDPR or General Data Protection Regulations Article 4.1 defines– “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
From the above two definitions of Indian and European context, we can confer that data includes any information of a Natural Person or individuals Name, Sex, Age, Address, Occupation, Email ID, Phone Number, Employment Status, Chats, Pictures, Call logs. This definition is not exhaustive.
What measures should be taken by companies?
Besides allocating a huge budget for marketing and branding today its very pertinent that a good budget is allocated for Cyber Security. The new IT Rules mandate to appoint a Nodal Officer in every company who has expertise in Cyber Security and Cyber Threat Intelligence. A third-party Cyber Security firm should be hired to periodically audit the company’s Cyber Space. If the data is compromised then the users must be notified immediately.
What is the legal recourse that can be taken?
- The first thing He/She must do is change the password of Email IDs and other accounts associated with the breached portal.
- Enable 2FA or 2 Factor Authentication or Multi-Factor Authentication. It’s double security to accounts where along with the conventional password an OTP is required to be entered.
- If spam messages, calls, or emails are received then ‘Report and Block’ them.
- If still someone is harassing by asking to send money, pictures or offering a Job after paying some money or offers which are ‘Too good to be True’ then immediately contact the Local Police Station and lodge a complaint.
The 2FA or Multi-Factor Authentication is the best Anti Hack Tool as suggested by Mr. Rakshit Tandon, who is one of the best Cyber Security Experts in India now supporting the Indian Police and Defense agencies by educating, advising, consulting and working with them.
From Military systems to corporations like Apple and Google to Simpleton internet users, all are vulnerable to Data Breach and Hacking. Military, Companies and Simpletons all of them use the internet for their office work, school, training, and entertainment. Today it’s very easy to get hacked or data getting breached. From the above information, we have seen that if big companies like Byjus can have a Data breach then even a simpleton’s data can be compromised and how Cyber Security and Cyber awareness is very important to avert such situations. Hackers use small loopholes in the system and create a backdoor which ultimately compromises the whole company and the user.
- Indian tech startup exposed Byju’s student data | TechCrunc
- Thomson Reuters, Who is liable when a data breach occurs? | Thomson Reuters
- PRS Legislative Search, The Personal Data Protection Bill, 2019 (prsindia.org)
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: