Who stole my data? | #deepweb | #darkweb | #hacker


Recent incidents of cyber hacking have exposed how users have no legal or technical protection — not even the right to know — when their personal details have leaked.

When was the last time you heard about a data breach? A fortnight ago, it came to light that grocery platform Big Basket’s data had been compromised, and personal information of some 20 million users was up for grabs on the internet for $40,000. In October-November, pharma companies Dr Reddy’s and Lupin both reported cyber attacks on their IT systems, while education start-up Unacademy admitted to a hack that leaked data of about 22 million users in May. Last year, the State Bank of India was hacked after it failed to secure one of its servers. Cyber security agency Indian Computer Emergency Response Team (CERT) says there have been over 3.13 lakh incidents in 2019 alone.

But when was the last time you heard of a company — or even a bank — being penalised for a data breach? “In India, probably never,” says Ramanjit Chima, senior international counsel and Asia Pacific policy director at Access Now, a global advocacy group. “You will always hear reports of a data breach, and then, nothing. Not a single Indian company till date has been fined or prosecuted against for a data breach.” Indeed, unless a company is operating in a critical space like infrastructure or defence, it is not even required to report data breach. If external agencies like the US-based Cyble had not flagged the Big Basket and Unacademy incidents, users would never even have known that they are vulnerable.

“In our country, technology has moved on — hackers and cyber criminals have become smarter — but the law has not kept up,” says Ajay Singh, cyber security expert and corporate adviser. In the absence of legislation, consumers in India have no right to take action against an organisation that may have allowed their most sensitive personal details like names, phone and bank account numbers, various passwords and such to get out. Unlike in the US or Europe, Indian companies are not even bound to disclose a breach.

Data is the new oil. So when there is a breach, it gushes out and flows away. “For every data breach that we hear of, there are hundreds that go unreported,” says Rizwan Shaikh, security researcher and founder of Pristine Infosolutions. “Once it’s out there, it’s very hard to figure out who stole it or even how to retrieve it, unless you buy it back or pay a ransom.” The dark web, a parallel internet space, best known for its shady and criminal dealings, is where the data usually ends up. “And since all transactions on the dark web are in bitcoins, it’s difficult to trace it back to anyone,” adds Shaikh.

For every data breach that we hear of, there are hundreds that go unreported. Once the data is out there, it’s very hard to figure out who stole it or even how to retrieve it

– Rizwan Shaikh of Pristine Infosolutions

According to an annual IBM study called Cost of a Data Breach, the average cost of a breach in India in 2020 was Rs 14 crore — up 9.4 per cent from last year. That works out to approximately Rs 5,522 for a single stolen or lost record, and is about 10 per cent higher than 2019. The study also says that the average time taken to contain a breach increased from 77 days to 83.

So how does your data get out there? According to the IBM report, 53 per cent of breaches in India in 2020 were caused by malicious attacks; 26 per cent by glitches; and 21 per cent because of human error. More than ‘brute-forcing’ through security barriers, most incidents are likely to be an inside job — a disgruntled employee, who has recently been sacked, for example. Or a competitor trying to defame the organisation. It could also be sheer carelessness on the part of employees. “There are bank branches where, if you have a good rapport with the managers, they may agree to send you someone’s account details over a WhatsApp message,” says Shaikh. “That’s all it takes.” E-commerce companies who tie up with third party players for certain functions, like the payment gateway, also risk losing their data if their partners’ websites are hacked. In case of more traditional companies, while they may have excellent firewalls, their supply-chain partners may not.

Shaikh adds that certain directory services sometimes sell their segregated data. “The going rate is Rs 15-20 per line,” he says. “It doesn’t seem like much, except when you consider that these portals have hundreds of companies who have voluntarily signed on for better reach. One can make a tidy packet.” In 2019, search provider Just Dial faced a data breach and the details of some 100 million users got out. For all organisations, using passwords, in clear text rather than encrypted or in the hash format, inevitably poses a risk.

“While a company itself may have multi-layer protection, in these days of work from home, employees have stepped outside the limits of corporate infrastructure and made it more challenging for the internal security teams,” says Singh. “They may not use a VPN while accessing corporate resources, and open themselves up to an attack.” When it comes to targeting individuals, Singh says cyber criminals bank on people’s ignorance or lack of alertness to extract information. “Most people may innocently click on a link and find all their credentials gone,” adds Singh. “With most bank frauds, that’s what happens. Once they have your details, the attackers can do anything with them. They can clone your SIM card, change your mobile number and redirect all PIN numbers and passwords away from you.” According to Singh, the only way such attacks can be stopped is with multi-factor authentication. “Passwords are an ancient form of technology that started in the 1970s,” says Singh. “Today if you want to protect your systems, you should use things such as location tracking or biometric markers.” Cyber criminals are, however, always one step ahead; the latest TTP (or tactics techniques and procedures) to defraud people are quite easily available on the dark net, and for as little as a few dollars.

The price that stolen data commands depends, of course, on its sensitivity. “From the time a person is in contact with a website, the website starts collecting your data,” says independent security researcher Pawan Chhabria. “In order to book something, we need to provide information, which is then stored in databases, and these are then sold. According to Chhabria, there is maximum demand for expertise, patents and research that will enable a company to earn profits for the next 40 to 50 years and may be replicable; or information relating to national security. “Reputed organisations working in the space of defence and such take great pains to secure their data,” says Chhabria, “and still face attacks, which may sometimes come from beyond our borders.” Next is healthcare information, particularly patient data. A few years ago, a Hollywood actor who had cancer, faced a ransomware attack with hackers threatening to leak his medical records to the public. With millions riding on his films and career, he had no choice but to pay up.

Right now, as an Indian, you have more rights, remedies and information from global com

– Ramanjit Chima of Access Now

“Last is financial information — bank accounts, credit and debit cards, UPI IDs and such,” says Chhabria. The asking price for Big Basket’s data allegedly dropped from $40,000 to $12,000 to $500, experts say, after the company reiterated that only names, addresses, dates of birth and such of subscribers had gone out, and not their financial details. “The first-level person who tries to sell this data on the dark web is just trying to make a quick buck,” says Singh. “But there is someone else behind him, a more sinister presence, who will buy the data just to perpetrate further attacks on each of the people whose information has been leaked.” In the US, companies today seek insurance against cyber attacks, and this usually covers the cost of mandatory disclosure about the attack and individual intimation to users whose details have got leaked, as well as the cost of hiring a data monitoring agency to scrutinise every account for unusual activity (also enforced by law).

Unfortunately India has no such laws, and users can do little beyond changing passwords and being alert. “The existing laws in India are deficient [to combat data breaches],” says Apar Gupta, executive director of Internet Freedom Foundation. “Section 43A and 72A of the Information Technology Act do provide civil and criminal remedies, but there is little or no enforcement.” Parliament, he says, is considering a Data Protection Act that will ensure better penalties and also facilitate the creation of a regulatory body, a data protection authority, to look into related matters. “Each data processor, or any organisation that holds any sort of personal data about an end user, would have to notify the data protection authority at the first instance of a breach or security vulnerability,” says Gupta. “Any further action, like disclosing this to users and conducting a larger investigation and taking remedial action, will be the responsibility of the data protection authority.” The bill, however, is still at a draft stage and Gupta believes it will be two or three years before one can “expect this form of remedy”.

There seems to be no reason to pin all hopes on the data protection bill either. “Reporting about data breaches, preventing them and helping users with data breaches is not a priority with the government,” says Chima. “India is the world’s second largest user database and holds the world’s worst record for data breaches. And we don’t have a central government apparatus to even combat this. We don’t even know who is in charge, if an incident occurs.” Chima adds that Prime Minister Modi, in his Independence Day speech, announced that India would have a cyber security strategy by September-October. “There’s still no sign of it,” says Chima. “Right now, as an Indian, you have more rights, remedies and information from global companies and the actions of regulators in other countries, than you have here in India.”



Click here to go to the original author and source to this story.

______________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

.  .  .  .  .  .  . .  .  .  .  .  .  .  .  .  .   .   .   .    .    .   .   .   .   .   .  .   .   .   .  .  .   .  .

Leave a Reply