Major Data Breaches have occurred in India while the Personal Data Protection Bill (PDPB) has been hanging in the Parliamentary ad-hoc committee for over a year and a half now.
The Personal Data Protection Bill is a bill that puts India on the map of countries with dedicated data protection laws. It seeks to provide for the protection of personal data of individuals, and establishes a Data Protection Authority for the same. The Bill was introduced in Lok Sabha on December 11, 2019 and was referred to the Joint committee of the Parliament. The committee was to present it to the parliament after reviewing it and suggesting changes but it has been seeking extensions right from the budget session of 2020 to the current one till the Winter Session of the Parliament, 2021.
While this bill is being scrutinised in the Joint Parliamentary Committee for over a year and a half now, major data breaches and cybersecurity incidents have taken place in India.
IRCTC’s data leak in October 2020 contained Full Names of about a million users along with their mobile numbers, e-mail IDs, dates of birth, marital statuses and cities of residence. This data was available for free on dark net. While IRCTC denied the data leak at that time, there’s no deniability in the fact that this was not the first time that a cybersecurity incident was happening at IRCTC and the leaked data’s authenticity was substantiated by various cybersecurity experts.
Air India’s passenger system service provider SITA’s data was leaked recently where personal data of 45 Lakh passengers with data pointers as grave as passport information and credit card details were also leaked. SITA is based out of Geneva in Switzerland which all the more raises concerns for data localization that the PDP Bill raises.
Around the same time as IRCTC’s last year, Dr. Lal Path Labs also suffered a data leak. According to a media report, the personal data of millions of users was stored on their AWS server, not protected by a password. The company clarified that it was a misconfiguration issue and only involved 0.5% of its records. Incidents like these did not bother the companies at a kinetic, let alone legal, level back then but some major cybersecurity attacks like the one on Dr. Reddy’s servers forced it to shut down its operations worldwide, for a day. Both of these incidents occurred during the pandemic. Dr. Reddy’s was, in fact, in the middle of its vaccine trials.
These malicious attacks also swayed the corporates with the harshest impacts. In March 2021, a major data leak of 8.2 Terabytes happened at MobiKwick. KYC documents of around 10 Crore people were available for sale on the dark web. While the company denied the data leak, the photos of people’s passports, aadhar cards, etc. along sensitive personal data pointers were floating around on the dark web, ready to go in the hands of the highest bidder.
India witnessed one of the biggest and most dangerous data leaks in its history when, in May 2021, personal data of Domino’s India was leaked. Unlike other leaks, this data was available on the surface web and was presented in a user-friendly search engine format.
Users could search for mobile numbers/email IDs of their targets and get their order addresses with geo coordinates. While the company denied the leak of any financial data, this information was enough for anyone to misuse. “I started getting calls from people complaining that they have started receiving spam messages and random calls all of a sudden, after the Domino’s data leak,” said Nitin Pandey, a cyber consultant with the UP Police and a dark web researcher. He further added, “Data Leaks like these have far reaching implications when this data gets in the hands of malicious entities. From petty spammers to hitmen to terrorist organizations, anyone can misuse this data, especially the big data which gives them exposure to large cross sections of our population.”
The Personal Data Protection Bill had provisions for classifying sensitive data and imposing data protection standards for organizations collecting it but it also had its own shortcomings. While there is no record of the JPC’s meeting after 29th December, 2020, Meenakshi Lekhi, the committee’s former chairperson, told the media in January that the committee recommended 89 changes in the initial draft and presentation in parliament would take some time. Committee’s new head, PP Chaudhary has sought further extension till the first week of the winter session.
Meanwhile, courts of the foreign land are setting precedents while fining tech giants over data misuse. Found in the violation of EU’s General Data Protection Regulation, Amazon was recently fined for $850.6 million. Zoom, on the other hand just settled a lawsuit for $85 million in the land of stringent Data Protection laws, the USA. Data security is more than what meets the eye. While some events go unnoticed, some are outrightly denied and some are severe enough to shed light on the need of robust data protection practices.