This article has been written by Hema Modi pursuing the Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
With the advent of the 21st century which is often called the “technological era” and the prevalence of the pandemic in the past two years, the world has witnessed the paradigm shift to the digital world. In this digitized world, every person has access to mobile phones and the internet which enable us to connect globally and stay updated with day-to-day events happening all around the world. However, as every coin has two sides, similarly, the use of the Internet has its cons too. We, as users, provide all our private information on the internet which is misused by hackers and they invade our right to privacy, thereby violating it. According to a recently released report, there were 5 billion data breaches that occurred in the initial 5 months of 2021. This report shows that every day there is an invasion of privacy by hackers in one or the other accounts, hence, this topic covers one of the largest security breaches which occurred on the platform of Zomato in 2017.
Zomato’s security breach
Security Breach is an event or an incident that occurs when a person gets unauthorized access to an organization’s computer data and personal information. These usually happen whenever there is a human error i.e., if someone discloses their password, or when there are old vulnerabilities in the system or its software. Likewise, Zomato faced a similar issue and was a victim of one of the largest security breaches recently.
Zomato is an online platform for restaurant search and food delivery wherein lots of customers have their data stored. Unfortunately, about 17 million user records from their database were stolen which contained names, emails, numeric user IDs, usernames and password hashes. According to the sources, the data leak started in November 2015 wherein website’s data was leaked online. Unfortunately, the email id and password of one of the developers of Zomato were also leaked as he was using the same email and password combination on Github.
The incident took place in 2015, when Zomato did not use the 2-factor authentication on Github and therefore, the hackers were able to access the login details of the developer. Furthermore, this resulted in exploiting the details of the 17 million users and selling them on the dark web as reported by a security blog known as Hackread. The report also said that the hacker named “nclay” proposed to sell the entire package of data at $1,001.43 and to prove its authenticity, it even published data and evidence on the website.
Implications of a Data Breach
The data breach led to grave implications on its users as well as on the entity i.e., Zomato.
Implication on users
The Hackers gained access to the names, addresses, etc. of the users which is considered sensitive personal data. This sensitive data can be used to directly or indirectly identify a person and misuse them.
Furthermore, they can easily access the credit and debit card details of the customers leading them to a greater risk. Pursuant to this, hackers may use this information to send spam emails, make spam phone calls, execute phishing attacks on bank accounts, coerce and blackmail users or simply withdraw money from their accounts. Moreover, with the basic personal information in the hands of the hackers, they can impersonate any individual without the knowledge of any person and deceive other people.
For instance, we usually receive calls from an unknown number congratulating us for winning Rs, 5 crores as a jackpot and in pursuant, they ask for credit card details. They even provide us all our relevant details to camouflage themselves as a real agent of a bank and we, as vulnerable people, usually provide for the same and those Hackers use our information to extract our money and abscond.
Hence, the person whose data is leaked is the most vulnerable, being the main victim of such cyber crimes until and unless, proper action is taken to stop them from misusing or mishandling the information.
Implication on Zomato
The impacts which an organization has to witness are:
- The potential threat to theft of data, results in loss of trust of consumers and various other stakeholders. This depicts that the company is vulnerable to protect the private information of its users, hence it devalues the brand which was made with so much difficulty.
- The company/organization has to suffer the financial costs which had occurred from the breach including the compensation paid to the consumers, decrease in share value (if any), and removing the vulnerabilities to heighten the security of its platform.
- Data Breach, often, leads to an impediment in the operations of the business. Since, a security breach led to loss of all the important data, therefore, it takes time to recover that data which, sometimes, may result in temporary closing of all the operations or activities of the company.
Laws regarding data breach
Presently, there is no specific legislation in India but fortunately, a bill has been proposed known as “Protection of Data Privacy Bill, 2019 (“PDP Bill”)” which has been passed on to the Joint Parliamentary Committee. The PDP Bill aims to protect the privacy of individuals concerning personal data and its usage. It also provides for the framework for organizations to process data, lay down norms for social media intermediaries, accountability of entities who process personal data and provides for remedial measures for unauthorised and harmful processing of data. However, as of today (when PDP Bill is still not enforced), some of the Indian Laws provide for the protection of data privacy, although these laws are not as stringent as compared to GDPR and other regulations implemented in other countries.
Information Technology Act (“IT”), 2000
According to Section 65 of IT Act, 2000, there is a provision for preventing the unauthorised use of computers, computer systems and DATAs. This means that there is a law that prohibits security breaches and provides for punishment of the same. However, this section does not provide for the liability of the intermediaries such as Internet Service Providers (“ISPs”) (Airtel, Jio, etc.) or Network Service Providers (“NSPs”), as well as entities handling data as hackers can gain access to the information from these platforms as well. Additionally, Section 79 which provides for liabilities of entity keep them out of the purview of the Section as, if these ISPs and NSPs prove that offence or contravention was committed without their knowledge, or that they had exercised all due diligence to prevent the commission of such offence or contravention, then they are not made liable.
The Supreme Court in the case of Google India Pvt. Ltd. v. Vishakha Industries and Anr. Held that intermediaries are provided comprehensive protection to any liability under Section 79. Hence, if the intermediaries prove that it was out of their scope of knowledge, then they are exempted from liability.
Indian Penal Code, 1860
The criminal law, prima facie, does not provide for any law for the protection of the personal data of an individual. However, it can be inferred under Section 403 of the India Penal Code which imposes penalty for the dishonest misappropriation or conversion of “movable property”, here, movable property is also referred to the Data of an individual for one’s own use. For instance, a company collects the personal information of some individuals in good faith to use it to further enhance the features of a website to provide better use of services to the individuals. However, later on, the company sells that information to a third party. Then, in such a situation, the company will be culpable for dishonestly misappropriating data.
Indian Copyright Laws
Literary work has been defined under Section 2(o) of the Copyright Act, 1957 as “computer programs, tables and compilation including computer databases”. This means that compilation of a list of clients/customers, whether it be non-original work developed by a person by devoting time, money, labour and skill amounts to “literary work”. Hence, when a hacker gains access to the database of the company, then the organization can claim copyright infringement under the said Act.
Threats of the dark web
Dark Web is a subset of the deep web where only those sites that are accessible via specialized web browsers and which are not indexed are found. Using the dark web is not illegal, per se, but there are dangerous consequences of accessing it. The leaked data of Zomato was alleged to be sold on the dark web.
Some of the potential threats to the victim of leaked data on the dark web are:
Vulnerable to malicious software
The dark web is an area that is free from any scrutiny and inspection and hence, some websites on the dark web could easily release harmful software which might harm one’s computer system and the accused may remain untraced because of the non-identification policy. This may also lead to webcam hijacking wherein someone can see all the activities of other people through the device’s camera.
Constant monitoring from the government
As we know, there is no scope of police surveillance on the dark web, but unfortunately, there are government spies who keep a constant watch on any anti-political view and ideology from the ruling government. This may amount to the imposing of liabilities and imprisonment for enticing or attempting to wage war against the government and hence, a potential risk to the invasion of privacy.
Possibilities of financial frauds and scams
There have been cases where this platform provides for illegal activities such as trafficking for sex and weapons, phishing attacks, paid assassinations, and many more.
Thus, it is pertinent to note that because of a slight loophole or mistake on part of one of Zomato’s employees, the data and personal information of 17 million people was at risk. Although, Zomato claimed that it stored the passwords in Hash and Salted form, hence it cannot be converted back to the original. (Here, Hashing means a process of conversion of original password into specific random characters which makes it difficult for the hackers to convert them to plain text and Salting means after conversion to random texts, some incoherent characters were added in order to make the passwords unintelligible for the hackers to identify the exact password for an account). However, there are possibilities that the hackers may use the reverse engineering process and trace back the passwords as they did with LinkedIn users in 2012. With this, they could easily get access to various other information with the help of developed technology. Hence, Zomato cannot ignore the possibility of cracking passwords by hackers.
This poses potential threats to Zomato users as their data would be released on the dark web which will be more prone to more harmful risks. One of the reasons for such an act which is taking place on a regular basis is the lack of comprehensive legislation pertaining to privacy and data protection. It is a great step and effort taken by the legislature to bring in the Protection of Data Protection Bill, however, it is necessary to provide further impetus ineffective implementation of those laws once it gets enforced.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: