Last year’s data breach at the credit rating agency Equifax may have been larger than previously believed, reports The Wall Street Journal. A document submitted to the Senate Banking Committee has revealed that hackers accessed additional personal information, including tax identification numbers, e-mail addresses, credit card information, and state & date of the issue information of drivers licenses.
In September 2017, the company had admitted that vulnerability in one of its web applications had led to the leak of information of around 143 million Americans’ social security numbers, driving license numbers, and a couple hundred thousand credit card numbers. The breach had taken place between May and July 2017. Subsequently, Equifax revised its initial figures and informed that around 2.5 million additional US consumers were potentially impacted by the security breach, taking the total up to 145.5 million.
Later that month, it came to light that there had been another breach in March 2017, which affected payroll service data. However, the company claimed that the security breach in March was communicated to the customers as well as the regulator. It’s worth noting that on both occasions the hackers were reportedly the same.
The following month, in October 2017, further evidence revealed that the breach had exposed the records of 15.2 million clients from the United Kingdom as well. Of these about 14.5 million records, collected between 2011 and 2016, didn’t include information that might put consumers at risk, but the remaining 693,665 records contained sensitive information. Personal information of about 8,000 Canadian consumers were also impacted by the breach.
Data protection in India
India’s Supreme Court has recently declared privacy as a citizen’s right, but a law on data protection still does not exist. Thus, companies that maintain data of Indian citizens for various purposes operate in a legal vacuum, and their own internal security standards are the only thing standing in the way of this data being breached. Government organizations alone have passively leaked over 130–135 million Aadhaar numbers, simply by not masking that information on their websites.
A law to protect data, is thus, essential to ensure security. A white paper on this has been drafted by a Committee of Experts headed by Justice B.N. Srikrishna, set up by the Ministry of Electronics and Information Technology (MeitY). Over 100 submissions have been made to the committee regarding this, which the committee will deliberate and make recommendations regarding the contours of a Data Protection law in India.
The Telecom Regulatory Authority of India has also issued a consultation paper on data protection. The paper relies on the Justice AP Shah report on Privacy, and looks into the role of data controllers, which is any organisation that determines the purposes and means of processing the personal information of users: essentially any app or service.
Various stakeholders have submitted their responses to the TRAI. For instance, the Cellular Operators Association of India (COAI) has demanded that other communication service providers be regulated as strictly as telecom operators. Similarly, French IoT company SigFox has also submitted its responses.