This article is written by Erum Khatoon, pursuing Diploma in US Technology Law and Paralegal Studies: Structuring, Contracts, Compliance, Disputes and Policy Advocacy from LawSikho. The article has been edited by Zigishu Singh (Associate, LawSikho) and Smriti Katiyar (Associate, LawSikho).
With the rise in the commercial availability of AI-enabled devices, the rate of data breaches and losses has also increased manifold. In the first half of the year 2021 alone, India has experienced a loss of around INR 165 million resulting from data loss due to malware attacks. The interesting fact is that the majority of data compromised belonged to big companies like Facebook, Air India and Dominos India. So, what specifically is a data breach and how is it triggered? This article aims to actualize the types of attacks that have already occurred in India this year and to unfold the truth behind this booming industry of malware attacks.
Most common types of electronic data breaches
Although the consequences and the risk involved are the same, there are four types of data breaches from the point-of-view of the mode of execution.
- Ransomware attacks,
- XSS attacks,
- Man-in-the-Middle attacks,
- SQL Injection Attacks.
Ransomware may attack a system by either remote platform hacking, an email phishing scheme or a compromised employee credential. The most common type is through email which contains a link to a location that downloads malware to the computer that could affect the whole network and subject it to a ransomware attack. Now, as most systems have malware scanning enabled for all downloadable files, the hackers may protect their files by putting password protection on their files which obviously will be shared with the same email. Once clicked, the encryption of the whole system occurs and access to the system is blocked. If the system is related to a business, the ability to transact would stop. At this point, the hacker notifies the system user of the encryption and may explain how an asymmetric cryptographic algorithm is used to encrypt/ decrypt the data and what amount of ransom needs to be paid in order to obtain the public key to get the files back. The cost is usually in bitcoins and the FBI had even traced a bitcoin wallet this year performing such activities.
Cross-site scripting is another form of attack where malicious code is injected into trusted websites. An unsuspecting user usually clicks on such code and this is how the malicious script gains access to cookies, tokens and other information on the browser.
Man-in-the-middle or MitM attacks are held by an attacker who interrupts an existing conversation or data transfer that is being held between two systems by pretending to be a legitimate participant.
SQL Injection attacks were faced by Sony Pictures and Microsoft. In this type of attack, a hacker manipulates a database by using a piece of a structured query language. It may result in obtaining administrative rights to the entire system.
Some of the most well-known high-risk incidents that occurred in India are discussed below.
Domino’s India incident
In the month of May, 2021, a huge leak of customer data was experienced by the famous pizza brand namely, Dominos, India. The full details exposed included names, addresses, delivery location, cell numbers and email IDs of 1 million customers who had placed orders on their portal either through mobiles or computer systems. The total number of orders was 18 million.
Juspay is an India-based payment processor that is used to transfer money through various platforms such as Amazon, Swiggy etc. An unidentified breach occurred in 2020 concerning 35 million user accounts of Juspay, India. The same was identified by a cybersecurity researcher in 2021 when he surfed around the dark web and saw the data being sold for USD 5000. The compromised data included masked card data and fingerprints of the card users. The hackers had chosen Telegram App for price negotiation due to its ability to self-destruct the messages within a specified time.
Police Exam Database incident
The data from an exam for the recruitment of Police officers in December 2019 in India was hacked which resulted in a leak of sensitive information of all the 50,000 participants. The bio-data of the candidates including their full names, dates of birth, mobile numbers, email IDs, FIR records, and criminal history were all put up for sale. It was identified by a firm named CloudSEK when a sample was shared with them by the hacker.
COVID-19 Results Database incident
At the beginning of 2021, a database containing the information of at least 1500 Indian citizens was compromised as a result of an attack on government websites. The hackers had made the data publicly available through downloadable PDF files. It was later found that New Delhi-based agencies were involved in the attack.
A similar incident had occurred in 2020 when the database of Delhi State Health Mission was hacked to obtain the information of 80,000 COVID-19 patients. The Kerala Cyber Hackers group had taken responsibility for the attack and stated that the reason for doing so was dissatisfaction with the way the government was dealing with healthcare personnel.
MobiKwik data breach incident
MobiKwik is an India-based digital payment company that offers mobile-based payment options and a digital wallet facility. In February, 2021 the records of 110,000 million users were leaked. The company denied the occurrence of any such data breaches however, two separate and independent researchers had found the data being sold on the dark web.
Upstox data breach incident
Upstox is a leading stock trading/ brokerage company where web and mobile-based accounts may be opened for trading in shares, mutual funds and Initial Public Offerings. In April 2021, around 2.5 million records (which is almost 2/3rd of their database) were compromised and later found to be hacked by a threat group who called themselves, “Shiny Hunters”. It was found out later that the hackers had acquired the Amazon Web Service Key through which access to the accounts information was obtained.
Air India data breach incident
Air India, the national Airline of India experienced a data breach in February 2021 when a record of a total of 4.5 million global customers was hacked when its Data Management Service Provider, namely, SITA PSS was accessed unauthorized. The compromised records revealed data ranging from years 2011 to 2021. The company intimated all its users in a timely manner to update their passwords to avoid and misuse. As Star Alliance and One World Airlines also use SITA to manage their databases, their records were also leaked.
CAT data breach incident
In May 2021, the test results and personally identifiable information of 190,000 applicants to the Common Admission Test, conducted for the Indian Institutes of Management, was hacked and put for sale on a cybercrime forum. Other than the admission test, the academic records and past scores were also put in the forum. This was the second incident of leak of CAT admission test results (the first being in 2019) and was identified by CloudSEK.
Money control India’s incident
Moneycontrol India is an app offering investment portfolios and news of the Global Financial Markets. In April 2021, data taken from the servers of Money Control concerning a total of 700,000 users was leaked and sold online for USD 350. As identified by a cybersecurity researcher, other than user names, emails and addresses, the data also included the passwords of such account holders. After this extensive breach, the company had to reset the passwords of all of its account holders at once.
Unacademy data breach incident
Unacademy is an online education platform delivering hundreds of courses to students. In May 2020, the data relating to 22 million users was put up for sale for a payment of USD 2000. As most of these accounts were created by companies to train their employees hence, corporate email IDs were compromised as a result of it. A co-founder of the company later confirmed that no sensitive financial information was leaked in the incident.
It is a sad and shocking revelation that the top ten data breach incidents are not related to startups or small-level companies but to the most trusted and established bodies. If the level of data protection offered by the best entities is so meagre, we can assume that the overall web-security for individuals is zero. On the other hand, hacking can now safely be regarded as a money-generating profession where the identity of the culprit can be easily masked.
With daily advancements in technology, it is becoming increasingly difficult for the legal system to keep track of all the data breaches that occur, let alone bringing the culprits to justice. In this scenario, the best strategy for the companies, government bodies and even individuals is to take security measures to avoid these attacks. Companies have already started using password encryptions, OTP based login systems, and thorough background checks to avoid all sorts of incidents of stealing credentials. Although some measures have already been taken to catch the culprits, it is still a long way before the legal sector catches up with the tech industry.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: