Experts Plan To Take Indian Cybersecurity Watchdog To Court For ‘Inaction’
MUMBAI, India — Thirty-three-year-old media professional Mithun Mohandas first came to know about the Domino’s India data breach in mid-April when rumors were going around on the internet.
On April 19, ethical hacker Rajshekhar Rajaharia tweeted about the data breach of 200 million orders made via Domino’s India. On May 21, Rajaharia tweeted a screenshot of a webpage from the dark web, a part of the internet that can’t be indexed by regular search sites, which had a search module to look up Dominos user details.
Mohandas then searched for the link that would let him access the dark web page that Rajaharia had tweeted.
“After having gone through my ‘very public’ order history on the dark web, I now know that my orders from Dominos are about 2.5-3 months apart,” Mohandas told Zenger News.
“The latest order was on November 17, 2020, at 4:53 pm, and details about the same were also found in the leak.” At no point did Mohandas receive any notification from Domino’s India about the breach.
Domino’s India is the latest entity to have become a data breach victim. Other high-profile cases include the data breach of 110 million users of MobiKwik, an online wallet company; 20 million users of e-grocery major BigBasket; debit and credit card details of 35 million users of fintech firm JusPay.
In case of a data breach, the Indian cybersecurity watchdog Computer Emergency Response Team (CERT-In) must be notified.
In the case of MobiKwik, Rajaharia, who had brought the data breach to users’ attention, told Zenger News that he had shared every detail with CERT-In. He did the same with Domino’s India breach as well. But he is yet to receive any response.
Hyderabad-based independent researcher Srinivas Kodali told Zenger News that the Free Software Movement of India, a coalition of organizations promoting free and open-source software, has regularly sent letters to CERT-In but to no avail.
“There has been no response from CERT-In,” said Kodali. “Outreach-wise, CERT-In is doing a terrible job. One needs to look at their Twitter account.”
Despite so many data breaches in 2021, there isn’t any mention on the CERT-In homepage.
On its Twitter account, CERT-In updated its followers on the action taken on data breaches till December 2020. The handle has been practically inactive since February this year. CERT-In did not respond to queries from Zenger News.
The Free Software Movement of India said CERT-In did not respond to its letter asking for an investigation into the Dominos hack. “We still have not received any response from them. We intend to appeal this in courts.”
“Our main demand from the court is to direct CERT-In to investigate the data breaches as they won’t listen to us,” Kodali said.
“The case may or may not be listed. We don’t know when its judgment will come. We have collaborated with the Software Freedom Law Centre, which is helping us with all the legal help. It’s going to be a long process. All we are asking is for CERT-In to do its job of investigating the data breaches and inform the public of the status of the investigations.”
In data hacks involving Domino’s and MobiKwik, users were not notified by the companies that their data had been breached.
“In the case of MobiKwik, it was forced to accept a breach had occurred only after a lot of noise was made about it online,” Kodali said.
MobiKwik had also threatened Rajaharia with legal action.
Suman Kar, the founder of cybersecurity firm Banbreach, says he’s in touch with other cybersecurity organizations to work out the right steps to take.
“There is an overwhelming sense among the community that people don’t know what to do as they aren’t informed about these breaches in time,” Kar told Zenger News.
According to Kar, CERT-In is just one body under the Ministry of Electronics and Information Technology (Meity), which the parliamentary committee oversees. This committee, supposed to meet regularly, has been missing these meetings due to the Covid-19 crisis.
“The way it works in the U.S., or even in the EU, Japan, Australia or Brazil — they all have privacy laws which mandate that if you have been breached, then you need to send out notifications. In the U.S. — if the number is less than 500, you don’t need to do that. In India, we have crossed that minimum number 1,000 times over, and yet, none of these organizations have informed their users,” said Kar.
He believes that the lack of strong privacy laws and regulations around disclosures related to data breaches gives companies the confidence to keep users in the dark about a data breach.
According to Kar, there are three pressing matters concerning CERT-In’s response to breaches.
“First is communication. I don’t know what they are doing about the data breaches. The second thing is helping the industry. CERT-In should actively categorize the breaches and ensure affected companies collaborate and share intelligence to improve the overall cybersecurity landscape. The third aspect is reparations in financial terms for the victims of these data breaches.”
The penalty for not reporting incidents to the CERT-in is a paltry INR 5,000 per day (approx $70). Also, the penalty for contravention of any regulations of the Information Technology Act, 2000, is INR 25,000 (approx $340).
“No rich corporation is ever going to lose sleep over such penalties,” Mohandas said.
“Non-compliance of security standards should elicit much harsher penalties, and CERT-In should ideally be given the power to take cognizance on its own on security incidents and a stricter security breach notification law needs to be put in place.”
Back in 2019, after news emerged about Israeli spyware Pegasus affecting WhatsApp users, the government and CERT-In were proactive in sending WhatsApp a notice. In 2018, CERT-In issued an advisory in response to the Cambridge Analytica data breach.
But when it comes to data breaches by Indian companies, the response hasn’t been swift.
“There is digital nationalism, which is more about protectionism for Indian companies. You don’t want foreign companies to take over the Indian sector. Every nation-state can protect its interest, and there’s nothing wrong with it, but then make it a policy. In the current case, MobiKwik, Domino’s didn’t even care about the breach,” Kodali said.
“The onus to ensure data privacy is maintained and the rights of Indian users protected lies with the government. The companies may try to say many things to justify their stand, but policing them is CERT-In’s job. They have failed at this since the Information Technology Act came into being in 2000.”
(Edited by Abinaya Vijayaraghavan and Amrita Das)