India is swiftly becoming one of the favorite hunting spots for cybercriminals. It's time the country takes concrete measures to secure the personal data of its citizens.
The country's national carrier, Air India, recently disclosed an infringement on its passenger service system that compromised the personal data – including date of birth, contact particulars, passport, and credit card details – of 45 lakh passengers.
The attack was part of well-coordinated hack series on the passenger service system servers of Société Internationale de Télécommunications Aéronautiques (SITA). This global ICT solution provider delivers services to 90% of the worldwide aviation industry. The data security incident impacted several international airlines, such as Singapore Airlines, Lufthansa, Malaysian Airlines, and Finnair. The level of data breach impact varied from one airline to another.
Data breach response plan
While the Geneva-based solution provider had informed about this incident to all its customers in February 2021, for a bizarre reason, Air India did not feel the urgency to advise its customers on taking necessary precautions such as changing account passwords.
Once again, the incident has revealed India's delayed approach to responding to a cybersecurity urgency and prevalent deficiencies in its IT governance model. It may not be possible to control all network intrusion incidents, impacting even those organizations that deploy robust security solutions and tools. However, companies must provide a roadmap once the breach is discovered and help minimize the damage incurred. Setting up a robust incident response plan is critical. It should be in place to examine the violation, find reasons for the security breach, urgent steps to limit the damage, and efforts needed to beef up the security.
In this case, most of the impacted airline carriers globally immediately informed their travelers about the data breach and the recommended action steps when the incident came to light. Air India surprisingly took almost three months to notify its customers whose data was compromised.
One may argue that the national carrier was ascertaining the level and scope of the data security attack and wanted to know the full details of travelers whose data was compromised. But in any cybersecurity breach, timely action can help activate a successful incident response mechanism, something which Air India could not do.
Growing incidents a colossal concern
Ever since the COVID-19 pandemic began, there has been a steep rise in the cases related to data breaches in India. In an era where companies are growing their digital footprints and remote-working has become a new norm, endpoint abuse has increased multiple times among enterprises of all sizes.
According to IBM Security's annual Cost of Data Breach report, which covered 524 organizations globally, India reported the second most cyberattacks after Japan in the Asia Pacific region in 2020. With almost a 10% increase, the financial impact of these breaches was about INR 140 million. More than the financial loss, such violations can make a severe dent in business reputation, and influence customer trust.
In Nov 2020, online grocer, Bigbasket, came to know about a major data breach on its network when it found leaked data of its two crore customers was up for sale for INR 30 lakh on the Dark Web. In May 2020, Bangalore-based learning platform, Unacademy's corporate data, the details of its 20 million user accounts, was hacked and being sold on the Dark Web for about INR 1.5 lakh.
Pizza restaurant chain, Domino’s Pizza, became the latest victim of an enormous data breach, compromising the credit card details, name, mobile numbers, and location history of its 180 million customers.
In the post-covid era, hackers are expected to get even more innovative. With the number of unsecured endpoints increasing, coupled with enterprises focusing on integrating their processes with new-age technologies, networks are becoming more susceptible and need significant investment and research efforts.
The urgency of strong data protection law
In the current digital age, modern security threats are becoming complex. While organizations need to invest significantly in their research and technology capabilities to mitigate such breaches, the Indian government also needs to expedite the process to introduce strong data security laws. Like European Union's GDPR law, Indian data protection laws also need to classify privacy as a fundamental right.
The absence of a proper legislative framework makes it difficult for Indian citizens to get clarity around their rights in case of any violation of their privacy. The country that aims to become the IT superpower has been waiting for express legislation, data protection bill, that deals with data protection.
For instance, if we had the robust data protection bill, a national carrier like Air India would have been bound to notify its flyers about the data breach incident in a specific timeframe. In most advanced countries, companies are required to undertake necessary actions within 72 hours of becoming aware of the data breach incident. Any inefficiency may result in significant fines.
The Personal Data Protection Bill, proposed in 2017, needs urgent implementation with solid parameters to define user privacy. In the digital economy, data is the goldmine that gives companies an edge to build great products and services. If the same data continues to be compromised for malicious and exploitive purposes, consumers' trust in the new shining digital economy will get weakened.