India at 16.9% was among the five countries, that included China and Pakistan, at the risk of being exposed to cyber attacks. India also ranked fourth globally among the countries most affected by ransomware
No one forgets a breach.
In October 2016, what is being touted as the 'biggest ever breach of financial data in India', as many as 3.2 million debit cards were compromised. Of the cards breaches, at least 2.6 million were on the Visa and MasterCard platform while 600,000 were on the RuPay platform. State Bank of India (SBI), India's largest bank, which has over 13000 branches was worst hit. The bank blocked and re-issued around six lakh debit cards to customers.
The report of the breach also indicated that a malware-related security breach took place in a non-SBI ATM network. On 7th February 2017, Hitachi Payment Services confirmed that the malware had originated in the ATM network.
In a press statement released by the company, it said: We confirm that our security systems had a breach during mid-2016. As soon as the breach was discovered, we followed due process and immediately informed the Reserve Bank of India (RBI), National Payments Corporation of India (NPCI), banks and card schemes to ensure the safety of their customers’ sensitive data.
The due process is also an order released by the Ministry of Electronics and Information Technology and CERT-In, on January 4, 2017, “Service providers, intermediaries and body corporate shall report the cyber security incidents to CERT-In within a reasonable time of occurrence or noticing the incident to have scope for timely action. The type of security incidents shall be mandatorily reported to CERT-In as early as possible to leave scope for action.”
Below are the types of cyber security incidents, which needs to be reported to CERT-In:
· Targeted scanning/probing of critical networks/systems
· Compromise of critical systems/information
· Unauthorised access of IT systems/data
· Defacement of website or intrusion into a website and unauthorized changes, such as inserting malicious code, links to external websites, etc.
· Malicious code attacks, such as spreading of virus/worms/Trojans/Botnets/spyware
· Attacks on servers, such as databases/mail and DNS and network devices, such as routers
· Identity theft, spoofing and phishing attacks
· Denial of service (DoS) and Distributed Denial of Service (DDoS) attacks
· Attacks on critical infrastructure, SCADA systems and wireless networks
· Attack on applications, such as e-governance, e-commerce, etc.
Even before the infamous breach took place, the Reserve Bank of India (RBI) in June 2016 had issued a directive, mandating banks to report any cyber security incident within two to six hours. RBI had also warned lenders that any delay in reporting and flagging loan frauds could result in banks and bankers being charged for abetting the criminal offence.
In October 2016, following the directive, Axis Bank was one of the few banks who filed a preliminary report about a breach to RBI. But despite the obligatory requirement, RBI had said in a statement in 2016 that, “banks have been ‘hesitant’ to share incidents of cyber attacks.”
Other countries have taken concrete steps towards cyber security.
In the United States, forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information. The European authorities in August 2016 had approved the EU General Data Protection Regulation which mandates companies operating in Europe to report cyber breaches to national authorities within 72 hours.
According to a 2016 Cost of Data Breach Study, sponsored by IBM and independently conducted by Ponemon Institute LLC, there was a 29% increase in total cost of data breach since 2013 while the average cost of data breach was USD 4 million.
In India, The National Crime Record Bureau (NCRB) registered a total of 11,592 cybercrime cases in the year 2015, recording a rise of 20% reported incidents from 2014 to 2015. Similar data for the year 2016 is under collection. The RBI has also registered a total of 8,689 cases of frauds involving credit cards, ATM/debit cards and internet banking during the year 2017 (up to December 2016).
Interestingly, the reported incidents have increased in the last few years in India, but so have the number of cyber security incidents.
In India, a total of 50,362 cyber security incidents were observed during the year 2016 as compared to 49,455 in 2015. The type of cyber security incidents, said the Minister of State for Electronics and IT, P P Chaudhary, in a written reply to Lok Sabha, included phishing, scanning/probing, website intrusions and defacements, virus/malicious code and denial of service attacks.
India at 16.9% was among the five countries, that included China and Pakistan, at the risk of being exposed to cyber attacks. India also ranked fourth globally among the countries most affected by ransomware.
In 2017's Union Budget, finance minister, Arun Jaitley, announced plans by the Indian government to enhance India's digital footprint. The government's mission is to achieve a target of 2,500 crore digital transactions for 2017-18 through UPI, USSD, Aadhar Pay, IMPS and debit cards.
However, the regulations imposed by the RBI and the government that, though mandates incidence reporting by organizations and government bodies, may definitely bring in more transparency in the system, but will it be enough to curb the increasing number of incidence, such as cyber warfare, intellectual property crimes, ransomware among others. Will it be enough to safeguard the government's 'Digital India' vision?
The January 4, 2017 order is surely a step in that direction. But what India definitely needs is a cyber security vision inline with its Digital India mission. And maybe, then a time will come when we will remember, not the breach, but how it was tackled.