IFF’s cybersecurity report for the first quarter of 2024 #PlugTheBreach
tl;dr
Recent data breaches and leaks have underscored the widespread impact on the data security of millions of users. Prolonged cybersecurity incidents, like the S3WaaS vulnerability, have raised concerns about the detection and response capabilities of India’s cybersecurity authorities. This series, which will include quarterly reports of IFF’s work on data breaches and vulnerabilities, will list the various cybersecurity incidents that occurred in the country as well as our actions in response to them. We highlight the need for organisations to prioritise proactive measures, transparency, and public awareness to mitigate risks and foster cyber resilience in an interconnected digital world.
The grim state of cybersecurity in India
The urgent need to operationalise the Digital Personal Data Protection Act (“DPDPA”), 2023 is underscored by the increasingly pervasive threats to individuals’ digital privacy and security. As technology advances, so do the methods and scale of cyberattacks, leaving individuals and organisations vulnerable to data breaches, identity theft, and surveillance. A comprehensive, robust, and rights-respecting data protection legislation is essential to establish clear guidelines, regulations, and enforcement mechanisms to safeguard personal information, ensure transparency in data handling practices, and hold entities accountable for any lapses in cybersecurity protocols. The inadequacies of the DPDPA, 2023 in safeguarding data privacy and empowering data principals in the event of a breach as well as the current grim state of cybersecurity in the country reveal concerning gaps and vulnerabilities. Despite efforts to bolster cybersecurity measures, including establishing dedicated agencies and initiatives, challenges such as insufficient resources, outdated infrastructure, and a shortage of skilled professionals persist. The recent exemption of the Indian Computer Emergency Response Team (“CERT-In”) from the Right to Information (“RTI”) Act, 2005 raises serious concerns about the accountability of an organisation whose actions or inaction is consequential for the status of cyber security and individual privacy in the country. This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them.
Data breaches and vulnerabilities in 2024 Q1
Sparsh Portal data leak: A reported data breach compromised the SPARSH portal, which is used to manage the pensions of defence personnel. Sensitive information such as usernames, passwords, and pension numbers of numerous personnel, mainly from Kerala, had been exposed. This breach, linked to the ‘lumma’ malware, underscores vulnerabilities in the Tata Consultancy Services-developed portal. The data’s appearance on a Russian marketplace also raised concerns about potential misuse. We wrote a letter to CERT-In, the nodal authority assigned to overlook data breaches, bringing this breach to their notice and urging for an enquiry as well as appropriate remedy to the affected users.
Vulnerability in the Hyundai Motor India Database: According to TechCrunch, the personal data of Hyundai Motor India customers was exposed due to a bug in their system. Despite Hyundai’s fix, concerns persisted as the company denied providing information regarding any misuse of the bug. The bug leaked customer details, including names, addresses, emails, vehicle specifics, and phone numbers, especially for those using authorised service stations. Web links shared by Hyundai with customers inadvertently also exposed their phone numbers. Read our letter to CERT-In here.
Data leak of an Indian mobile network database: CloudSEK, a cybersecurity firm, confirmed a massive data leak from an Indian mobile network database. According to reports, a 1.8-terabyte database containing the personal details of 750 million individuals was being sold on the dark web by a threat actor known as ‘CyboDevil’. The leaked information included names, mobile numbers, addresses, and Aadhaar details, affecting approximately 85% of the population. The breach reportedly impacted all major telecom companies after analysing sample data provided by the threat actor. Despite inquiries, the threat actor denied involvement, attributing data acquisition to undisclosed sources within law enforcement. As per the report, “An email sent to CERT-In, a government nodal agency for cybersecurity, elicited no response till the time of going to press.” Read our letter to CERT-In here.
Data breach of FreshMenu: A significant data breach reportedly affected FreshMenu, a Bengaluru-based food delivery platform. Reports indicated that a threat actor had accessed and exposed over 3.5 million order details containing personal information such as phone numbers, emails, names, billing and shipping addresses, and IP addresses due to an unprotected 26 GB MongoDB database. Despite notification by the Cybernews research team on December 14, 2023, FreshMenu did not respond to inquiries or comment on the breach. Read our letter to CERT-In here.
Data breach of UP Marriage Assistance Scheme site: According to India Today, unidentified perpetrators executed a cyber fraud exceeding Rs 1 crore by breaching the web portal of Uttar Pradesh’s Marriage Assistance Scheme. The breach compromised the ID of the Additional Labour Commissioner, facilitating fraudulent payments via the Uttar Pradesh Building and Other Construction Workers Welfare Board’s portal, which administered the Scheme. The breach affected portals UPLMIS.in and sna.uplmis. This resulted in double payments to ineligible beneficiaries, totalling over Rs 1,07,80,000. Allegedly, the actors submitted over 250 applications within two days, transferring funds from the accounts of 196 individuals. IFF wrote to CERT-In and received a prompt response thanking us for informing them of the breach and assuring us of their involvement in the matter. Read our letter to CERT-In here.
Data breach of documents containing data from EPFO, Indian PMO, and other public and private organisations: The data breach reportedly impacted datasets from the Prime Minister’s Office (“PMO”), the Employees’ Provident Fund Organisation (“EPFO”), and other public and private organisations. According to the Economic Times, the government was investigating reports of a breach allegedly including data from these entities at the time of reporting. Documents purportedly leaked on social media platform X (formerly Twitter) claimed to contain data from EPFO, PMO, and other organisations. Senior officials informed that CERT-In was tasked with verifying these claims. Cybersecurity experts were also examining the situation, though there was no concrete evidence beyond the attackers’ claims at the time of the report. Read our letter to CERT-In here.
Data breach at boAt: A significant data breach recently affected the Indian consumer wearable brand, boAt. According to Business Standard, the breach exposed personal data of over 7.5 million users, allegedly orchestrated by a hacker known as ShopifyGUY. Sensitive information such as names, addresses, phone numbers, email addresses, and customer IDs have been compromised, with approximately 2 gigabytes of data made available on dark web forums. The company boAt acknowledged the incident, initiated a thorough investigation to safeguard customer data, and affirmed that protecting customer information is their utmost priority. Read our letter to CERT-In here.
S3WaaS Vulnerability: The ‘Secure, Scalable and Sugamya Website as a Service’ (S3WaaS) platform of the Government of India, developed for hosting government websites, faced a significant vulnerability in January 2022. Security researcher Sourajeet Majumder discovered that the flaw could potentially lead to the exposure of sensitive personal data of around 2,50,000 Indian citizens, primarily COVID-19 vaccine beneficiaries. Upon Sourajeet’s request, IFF alerted CERT-In about the security flaw twice, in January and March 2022. CERT-In acknowledged the email and responded promptly both times. We also notified the National Informatics Centre (“NIC”) but they did not respond. Despite alerts and correspondence with CERT-In and NIC, the breach persisted until March 2024, when Sourajeet confirmed its resolution. Read our explainer about this vulnerability here.
PlugTheBreach: IFF’s data breach tracker
You can find a list of all the non-exhaustive data breaches in the country since 2020 on a publicly accessible database, PlugTheBreach, a small-scale IFF initiative aimed at covering, reporting, and tracking data breaches in India to increase transparency and public awareness.
Conclusion
The multitude of recent data breaches and leaks underscores the critical importance of robust cybersecurity measures in today’s digital landscape. From breaches compromising sensitive defence personnel information to vulnerabilities in major databases and platforms, these incidents highlight the pervasive risks individuals and organisations face.
In these challenges, organisations must prioritise proactive cybersecurity measures, including regular audits, robust encryption protocols, and swift incident response procedures. Moreover, there’s an urgent need for greater transparency and accountability in handling data breaches, as seen in cases where affected companies failed to acknowledge or adequately address the breaches promptly.
Public awareness and education on cybersecurity best practices also play a vital role in mitigating risks and fostering a culture of cyber resilience. Thus, as we navigate an increasingly interconnected digital world, we must remain vigilant and proactive in safeguarding our digital assets and protecting user privacy.
Important Documents
- Letter to CERT-In on Sparsh Portal data leak dated 12 January, 2024 (Link)
- Letter to CERT-In on Hyundai Motors vulnerability dated 15 January, 2024 (Link)
- Letter to CERT-In on Mobile Network data leak dated 30 January, 2024 (Link)
- Letter to CERT-In on FreshMenu data leak dated 30 January, 2024 (Link)
- Letter to CERT-In on UP Marriage Assistance Scheme dated 8 February, 2024 (Link)
- Letter to CERT-In on data breach of EPFO and PMO datasets dated 22 February, 2024 (Link)
- Letter to CERT-In on boAt data breach dated 9 April, 2024 (Link)
- Letter to CERT-In on S3WaaS Vulnerability dated 21 January, 2022 (Link)
- Letter to CERT-In on S3WaaS Vulnerability dated 9 March, 2022 (Link)
- PlugTheBreach (Link)
This post was drafted by Policy Intern Vinamra Harkar, and edited and reviewed by Associate Policy Counsel Tejasi Panjiar.