The Joint Parliamentary Committee (JPC) on the Personal Data Protection Bill has summoned cybersecurity firm Cyble and payments company PayPal for depositions later today. The Committee has also summoned Bangalore-based think tank iSPIRT, and card network companies Mastercard and Visa for deposition on November 20. Today, the JPC will also hear from companies that have not submitted their post-evidence replies.

This follows four meetings of a clause-by-clause analysis of the Bill that were held between November 11 and 12. These four meetings were attended by 11, 12, 15 and 16 members, respectively. The JPC, headed by Bharatiya Janata Party (BJP) Lok Sabha MP Meenakshi Lekhi, has 30 members.

iSPIRT is a Bangalore-based, private technology think-tank that “convert[s] ideas into policy proposals to take to government stakeholders”. It was established in 2013 and was initially mentored by Nandan Nilekani, non-executive chairperson of Infosys and the architect of Aadhaar. Its donors include Ajay Data (Data Infosys), Sameer Nigam (PhonePe) and Vijay Shekhar Sharma (Paytm) to name a few. Its volunteers include Lalitesh Katragadda (ex-Google), B.G. Mahesh (co-founder of Sahamati), Kunal Shah (CRED), among many others. It is the think-tank behind India Stack, Data Empowerment and Protection Architecture, National Health Stack, Open Credit Enablement Network (OCEN) and other public tech stacks in India. India Stack’s project roadmap has relied on UIDAI and NPCI deploying these projects.

Why Cyble?

Recently, The Ken reported that the Atlanta-headquartered cybersecurity firm Cyble, headed by Beenu Arora, that has flagged data breaches at BigBasket and RedDoorz, has a suspicious manner of operating. It notifies companies of data breaches and offers its own services to resolve the matter. If the victim company refuses, Cyble goes public with the information about the data breach. In case of ransomware attacks, it offers to negotiate on behalf of the company for a much higher price than the ransom itself. While BigBasket and RedDoorz refused Cyble’s services, Dunzo and JusPay took the bait. Paytm, on the other hand, sent a a cease and desist order to Cyble for alleging that its Paytm Mall had suffered a data breach.

“Multiple cybersecurity researchers in India and Southeast Asia who spoke to The Ken believe the firm [Cyble] may actually have ties with hackers themselves, though the evidence is, admittedly, circumstantial,” the Ken reported.

Update (7:29 pm): After the story was published, Beenu Arora, the founder and CEO of Cyble, reached out to the author of this story via LinkedIn, saying, “Cyble has been invited to provide feedback on the bill because of the awareness we have built in the country – we have a formal invitation from the government much before ‘The-Ken’ things came out – which we strongly condemn.” Arora directed us to his views that he had posted in response to a LinkedIn post, where he posted:

“There is a lot of gossips and misinformation being spread, so let me clarify a few things here. Our business model is simple, we sell threat intelligence – most commoditised and abused service in the overall cybersecurity market. What we offer – we sell SaaS license. What do we specialise in? – We have a pretty good view of the activities in darkweb forums, chat conversations as well as several cybercrime forums. Let’s get to the facts here. We willingly shared the “who”, “how”, “what”, “when” attributes to RedDoorz with no obligation or material benefits whatsoever – by the way, we never made any disclosure about them – they only came after us post-BigBasket. Why? From our experience, we share a lot more information compared to others. The intent is to assist a victim in remediation – in case the victim is interested in understanding the “where” part, they can search darkweb or Internet themselves – we are sourcing information from the Internet like many security companies. RedDoorz asked help/negotiation services from Cyble, which we explained there is no guarantee it won’t appear elsewhere whatsoever.” — Beenu Arora, CEO and founder of Cyble

In another comment to the same post, he said:

“We shared the perpetrators’ details too on our blog. We are keen to disrupt these markets and working closely with the federal agencies to dismantle them. On a side note, HCKINDIA location was shared with the Indian government over 2 months ago, will be keen to see some movements there. On the facts, we didn’t disclose Dunzo breach instead they reached out to us because we know the TTPs of ShinyHunters quite well, and we shared openly how they hack into code repositories. Something you can cross-check with them as well. As I said, the media will talk about things which are juicy and full of twists.” — Beenu Arora, CEO and founder of Cyble

***Originally published on November 19, 2020 at 10:36 am.