The protection of the Fundamental Right to Privacy is critical, especially given the apparent growth in online presence, since the exploitation of personal information without people’s knowledge and consent might result in the identities of the masses being revealed online on a large scale. On one hand, there were reports that India had witnessed its greatest Data Breach – A financial start-up’s records and private information of a mind-boggling 100 million consumers had been exposed. On the other hand, MobiKwik – the start-up in question – denied that any such breach ever occurred.
The Payment App MobiKwik came under scrutiny after a Security Researcher alleged that the data of over 3.5 million customers of the App was being sold on the Dark Web. According to the Researcher, the sensitive information that was put up for sale on the Dark Web includes KYC details, addresses, phone numbers, Aadhar Card data, and other personal details. Several people have also apparently discovered their own personal information on the Dark Web link that has been circulating on the Internet.
BACKGROUND OF THE DATA BREACH
The Data Breach was revealed by Cyber Security Analyst Rajashekhar Rajaharia on Twitter, who also notified the Reserve Bank of India (“RBI”), the Indian Computer Emergency Response Team (“CERT-In”), Payment Card Industry Data Security Standards (“PCI Standards”), and various Payment Technology Services Providers, etc. Jordan Daven, a Hacker Organization, sent the database link to the Press Trust of India (“PTI”) and stated that they had no intention of utilizing the data other than to obtain money from the firm and erase it from their end.
According to the Researcher, data from a MobiKwik server includes information from Know-Your-Customer (“KYC”) forms, unmasked Card Numbers, and other personal details for over 10 crores Indians. In a series of tweets, the Researcher identified MobiKwik, saying that a hacker(s) has had access to the Company’s data since January 2021. However, doubts have been raised about the veracity of this information by other security researchers since then. Robert Baptiste, a well-known Security Researcher, verified the breach in March 2021, crediting a third Security Researcher for the information.
Bipin Preet Singh, CEO of Mobikwik, made a statement on the suspected Data Breach affecting MobiKwik and effectively denied that MobiKwik had any role to play in the said data being leaked on the Dark Web. He further said, “Some users have complained that their data is exposed on the dark web. It is absolutely conceivable that any user uploaded their data to several platforms. It is false to claim that the data available on the dark web was obtained from MobiKwik or any other known source.”
LARGEST KYC DATA LEAK IN HISTORY
As digital presence has continued to increase globally over the past couple of decades, the Covid-19 pandemic has only pushed people further to participate in this growing digital economy. More and more individuals are turning to digital channels to meet a range of requirements, right from purchasing food to obtaining healthcare services. This has given rise to a natural and proportionate increase in the number of personal data breaches, especially from big Digital Service Providers, and it’s becoming obvious by the day that India’s current Data Protection regime is incapable of dealing with it.
A hacker popularly dubbed ‘Jordan Daven’ stole over 8 terabytes (TB) of personal user information from MobiKwik’s primary server and posted it on Dark Web forums, including email addresses, phone numbers, names, addresses, passwords, GPS positions, and data connected to users’ mobile devices. To avoid this type of security breach from happening, companies storing such information must ensure that regular keys and passwords are updated regularly, and systematic logs are also checked and maintained. In this case, the hacker/attacker appears to have gained access to MobiKwik’s Cloud infrastructure and was able to access data stores where such information was stored.
Other reports, however, suggest that this Data Breach has been perpetrated by a group of hackers known as the ‘Ninja Storm‘, who have been selling the ‘leaked’ data online since 26.03.2021. Such reports also suggest that the leaked data was being sold on the Dark Web for 1.5 Bitcoins, which, at the time valued around Rs. 65 lakhs (and is currently valued at Rs 42.5 lakhs).
With Data Breaches on the rise, Indian companies must prioritize the security of their consumers’ data over everything else. The RBI has also been watching these security breaches closely and has also implemented many new restrictions, including the upcoming Payment Aggregator and Payment Gateway standards, which will limit consumer data exposure to a few servers of approved gateways.
LEGAL IMPLICATIONS OF THE BREACH
Currently, such Data Breaches – and Data Protection in general – are governed by the provisions of the Information Technology Act, 2000 (“the IT Act”) which is clearly insufficient for regulating the protection of confidential information. Section 72A of the IT Act encompasses the crime of deliberately disclosing the confidential information pertaining to the identity of an individual without his/her consent, but the provision focuses on the violation of a contractual obligation, thereby making it vague and grossly inadequate to govern the general disclosure of Sensitive Personal Information without the owner’s consent.
Although the Hon’ble Supreme Court of India (“the SC”) has recognized the Right to Privacy as a Fundamental Right, which was read into Article 21 of the Indian Constitution, India still lacks explicit legislation governing the preservation of Privacy and the Data Protection. The Personal Data Protection Bill, 2019 (“PDPB”) has been submitted for debate in the Parliament, but it is yet to be enacted and legally implemented.
On the other hand, India is a signatory to many International Conventions and Declarations, including the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognize the Right to Privacy as an essential component of human life. However, the lack of a particular legislation protecting the Right to Privacy in India creates a large gap that must be addressed, leaving a lot of opportunity for the potential that the efforts being made to expand and improve Personal Data Security would be rendered ineffective.
The very characteristic of ‘Personal Information’ is that it serves to identify a person from others. The person/owner of such information should, thus, naturally have the freedom to choose whether to disclose such information in the public domain or not. In the absence of a User Agreement, this information should be obtained and/or divulged under a comprehensive legal framework such as the PDPB, to preserve the Right to Privacy and Confidentiality and to strengthen the protection of Sensitive Personal Information.
The IT Act now governs the companies collecting and processing Personal Information from users in India. This system does not, however, afford users and their personal data with appropriate protection. Additionally, the context emphasizes Data Safety but fails to highlight Data Privacy sufficiently. The businesses, thus, take technological steps in order to secure Personal Information, but do not respect the choices of users while processing Personal Data. Furthermore, the present legislation is insufficient to handle the dangers arising from new technological advancements pertaining to Data Processing.
In the wake of what has been called the “largest KYC breach ever”, MobiKwik Consumers have been left with much doubt and misunderstanding by the continuous clash between the Platform and the Researchers. It is recommended that customers update their MobiKwik account with new passwords. One should also upgrade any and all passwords, two-factor authentications (‘2FA’), including one time passwords (‘OTP’) and fixed passcodes, whenever possible, to e-mail addresses. The implementation of the Personal Data Protection Act, however, will lead to long-awaited reforms to the legislation regulating Data Protection and Security, which will lead to improved and enhanced protection of the Right to Privacy for the public.
For any query or feedback, please feel free to connect with email@example.com or firstname.lastname@example.org.