More Leaks than Unicorns
At least once in our lifetime we’ve all had this question in our minds, “Why are apps like Instagram, Whatsapp, Facebook, Snapchat, TikTok, LinkedIn, Gmail, Maps and Chrome, giving us so much without charging us even a single Rupee?” And most certainly all of us know the answer to this by now – PERSONAL DATA!
From the places you visit, to what you’re speaking, these apps in your smartphone have together become nothing less than a goblin that follows you wherever you go, taking notes and reporting in real time. But this is all alright as long as we can TRUST these tech companies with our personal information. Okay, we know that’s a big word and more often than not we end up in disappointment when someone broaches this subject. So today, let’s find out how many tech companies have lost our trust by losing our sensitive and valuable personal information to wrongdoers in the recent past.
What has happened in India in the past 12 months?
In the past 1 year, more than 20 Indian Startups have lost the personal information of a combined 360 Million user accounts by way of a Data Leak or Breach.
Such personal information includes bank details, card details, contact details, personal ID details and in some cases even bio-metric data. And to top it all, they’re not non-anonymized, which simply means that all such information link back to who you are and where you live (in most cases). Let’s look into some of the major data leak/breach that have happened in the past 1 year:
March 2021 – Brace yourself: In what is being called the “biggest data breach in Indian tech history”, data of 110 Million Mobikwik users was breached and put up for sale on the Dark Web. Mobikwik is a mobile payments platform and a digital wallet. So you may guess what kind of data was leaked: personal and financial details. What’s worse is that despite making its customers aware of the breach, the company denied all claims, most likely to safeguard itself from any kind of taint on its IPO dreams. All evidence, shared over social media by cyber security experts, suggest otherwise, leading to a battle of sorts between the furious CEO of Mobikwik and the experts who denied to budge.
January 2021 – Juspay, the Startup which processes payments for Amazon, Swiggy, Uber, Ola and the likes, reported breach of Credit and Debit card details of 100 million Indians, that took place in Aug’20. Don’t worry, you’re safe if you haven’t used any of these apps…but who are we kidding?
April 2021 – Passwords of 20 Million account holders of BigBasket resurfaced on the Dark Web, from a breach that was suffered in Oct’20. Okay, this one is simple! Just change the password of your BigBasket account! Only problem: Many people use the same password across services, making accounts held with other services also vulnerable from this breach. For example, many account holders reported that their Flipkart accounts were also hacked after this breach.
April 2021 – Upstox, the online stock trading platform, suffered a data breach involving personal data of 2.5 Million Indians. What was good though is that in a complete contrast to the ‘outright denial’ response by Mobikwik, the company admitted the claims and upgraded its systems to plug the holes.
Below is a chart showing more such data breach and leak that have happened in the past 1 year in the Indian Startup space:
So does this mean that the Startups are taking our Data for granted?
Well, if it makes you feel any better (or worse), many legacy firms in India have also suffered significant data leaks recently:
March 2021 – Domino’s India suffered a breach resulting in the loss of 180 Million customers’ order records, including their personal information like address and contact details.
February 2021 – Air India suffered a massive breach wherein personal information including passport and card details of 4.5 Million customers were exposed.
But what is the cause of these leaks?
Is it sheer irresponsibility on the part of the Indian Companies? Do they have outdated/inadequate security systems in place? Or is it because of an upsurge in hacking?
The thing with security of any kind, be it the locks on your main door, or the firewalls running behind applications is that it is hard to tell what came first...was it the cheap door lock that anyone could pick or the menace of the thieves who would have broken-in despite your security. Nonetheless, one cannot afford to fall asleep, especially when the threat out there is growing by the day.
Now we also know that there is no end to the amount that one could spend on Cybersecurity. So, to keep their cost in control, Startups usually employ systems commensurate to the scale of their business and the risks that they think they are facing. But when the sudden growth that Startups usually enjoy kicks in, they are slow to upgrade their systems commensurately. What they fail to consider is that rapid growth also attract cybercriminals’ attention, who often catch them off-guard, stealing valuable data and putting them up for sale. With Indian startups witnessing exponential growth in the past few years, now you know why hacking and data breach has been on the rise off late.
We know some of these startups did fail to employ systems that ought to have been in place to secure their data. But lets cut them some slack here. The growing menace of cyber-criminals is more dangerous than ever. This is evident from the fact that even some of the biggest multinational Tech companies have also suffered massive Data Breach in the past:
In April 2021, personal information of 533 Million Facebook Users (6 Million Indians), which includes phone numbers, Facebook IDs, full names, locations and more, surfaced on Telegram. However, according to the company, the leak relates to a breach that was disclosed back in 2019. Whatsoever, that’s 533 MILLION people’s data we’re talking about (more than the combined total of Indian Startups who suffered data breach in last one year).
In the past, Twitter, Yahoo, MySpace, Microsoft owned LinkedIn, Canva, Uber and Zoom have all faced data breach.
To make sure that you get it, we’ve also captured the Universal Dad of Stock Market, Warren Buffet’s take on the growing threat of Cybersecurity:
the number one problem with mankind
So is anyone even doing anything to stop these cyber criminals?
Okay we know something on this. Allow us to tell you about the Indian Landscape:
The RBI released its Master Direction on Digital Payment Security Controls in February’21. It provides necessary guidelines for setting up adequate security measures on the usage of digital payment products and services like Paytm, Mobikwik, BHIM, etc. Moreover, RBI has also announced a forensic audit on the Data Breach suffered by Mobikwik (who, as explained earlier, has denied all claims of the breach).
The Personal Data Protection Bill (PDPB) which is yet to become a law, mandates every entity handling large amount of personal data to implement security safeguards commensurate to the risk and harm associated with processing of such data. Moreover, any breach collecting personal data of individuals shall be informed to the Authorities within the prescribed time. So, if the law had been passed before Mobikwik’s historic breach, the company would have been statutorily required to disclose the same, failing which it would have had to bear fines. In the absence of any law, Mobikwik has gone scot-free and even denied all claims.
Other than the measures taken by the government, the effort made by cyber security experts and firms in spreading awareness and knowledge about data threats and breaches is commendable – Cyber intelligence firm Cybil and the independent cybersecurity researcher Rajshekhar Rajaharia, have been the first ones to spread news about some of the biggest data breaches in the past, even though startups themselves have denied claims of any breach.
What can be done to safeguard ourselves?
So now you know that despite the combined effort of watchdogs, policy makers, businesses and independent experts, the enemy out there is still at large and dangerous. So, as consumers, we shall be extremely cautious of the information that we are allowing these apps to capture, update our passwords every now & then and be aware of the services that are more likely to lose our data based on their track record. To make things easier for you, we have put together some resources:
Know before they send you a regret mail – To be informed of the data leaks before the Startup itself informs you (which in many cases could be NEVER), you can follow the independent cybersecurity researcher Rajshekhar Rajaharia on Twitter. Here's an example of how he surfaced the Domino's leak:
Know if your Data has been leaked – To know if your data has been leaked in the past, you can visit www.haveibeenpwned.com, a website which is used by security researchers to help the public find whether their data had been part of any breach.
Know who knows what – Komando has put together a comprehensive list for you to be aware of the data that the most commonly used apps are collecting from you.
Take control of your data – Here’s a list of things you can do to protect your personal data, to the extent possible.
PS: We do not give assurance on the credibility of any of these websites so please pursue it at your own risk.
This article is a part of the May'21 edition of our Startup Newsletter. Here's the complete publication: