The court was hearing a plea that was filed after India’s computer emergency response team reportedly failed to respond to grievances and requests for an investigation into the data breaches.
The Delhi High Court on August 13 issued notice on a petition demanding a government investigation into reported data breaches at Air India, Domino’s Pizza, BigBasket, and MobiKwik. The petition was filed by the Free Software Movement of India, which made its petition available on its website. “The grievance raised in the present petition is that the [Indian Computer Emergency Response Team (CERT-In)] is not taking any action qua the incidents of cyber security breaches and data leaks committed by various entities, despite the same being brought to its notice by the petitioner vide its detailed representations,” a single-judge bench of Justice Rekha Palli observed. Ajay Digpaul, Central Government Standing Counsel, asked for time to consult the government; the case will next be heard on September 23.
Litigation is emerging as the only recourse for Indians affected by data breaches. The Personal Data Protection Bill, 2019 has been under examination by a Joint Parliamentary Committee for almost two years; the committee has now obtained an extension till December to present its findings, and to introduce the bill in Parliament. Without the bill being passed, India won’t have a Data Protection Authority that can look into breaches like these.
The government is addressing these breaches: in Parliament, (such as by saying they didn’t affect bureaucrats’ email addresses) and in response to other countries’ data protection authorities, which Air India has been doing in the aftermath of a data breach at SITA, a contractor that handled its user data. Customers haven’t had much recourse or compensation, leading to two journalists filing a legal notice to the national air carrier demanding damages.
CERT-In ignored requests: FSMI
The petition by Y Kiran Chandra, the Secretary-General of the FSMI, said that it had reached out to CERT-In on four occasions. In response to the last communication, a grievance officer with CERT-In said “We would like to inform you that CERT-IN is aware of its responsibilities and does not require [FSMI’s] directions to investigate data breaches as highlighted by you. Organizations named in your notices have been directed to comply with the relevant provisions of law.”
- CERT-In obligated to take action: FSMI said that CERT-In was obligated by law to take action. “under Section 70B of the Information Technology Act, 2000, CERT-In is responsible for collecting and analysing information on cyber incidents; take emergency measures for handling cyber security incidents; issue guidelines, advisories, vulnerability notes on security practices, procedures, prevention, response and reporting of cyber incidents; and to call for information and give directions to the service providers, intermediaries, data centres, body corporate and any other person,” the petition said. (emphasis ours) CERT-In’s own rules require it to respond to breaches, the petition argued.
- Since there is no law, CERT-In needs to act: In the absence of a data protection bill, it was important for CERT-In to act, the petition said. “There is no law governing data protection in India as of now. Thereby, the aggrieved users do not have any legislative recourse against such breaches. Therefore, an investigation by CERT-In on frequent data breaches at mass level becomes important to safeguard the privacy of users,” the petition said. (emphasis ours)
- Respond to grievances and requests for investigation: The petition prayed that CERT-In be ordered to respond to its representations on the data breaches, and that “such other or further order(s) as may be deemed fit and proper in facts and circumstances of the present case” be passed by the court.
What was breached
In each of the four breaches, here’s the user data that was reportedly compromised:
- Air India: SITA PSS, a tech contractor for Air India, had a large amount of customer data breached. This included “name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data” of 4.5 million people, Air India said. Credit card details were breached, but the CVV verification codes on cards weren’t, the airline said.
- Domino’s Pizza: Jubilant Foodworks, which runs Domino’s in India, was hit with a breach, with 180 million users of the Domino’s India app or website having their “order details, names, phone numbers, emails, addresses, [and] payment details” leaked, we had reported in May. Users’ cumulative order value on the Domino’s app and website were also visible publicly; the data was put up for sale.
- BigBasket: The grocery delivery player had “full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others” breached, security firm Cyble said. Over 20 million users were reportedly impacted. BigBasket said it would investigate and hold the “culprits” accountable, and that other user data may have been accessed.
- MobiKwik: MobiKwik reportedly saw a breach of 36 million KYC files (like scans of identity cards) belonging to 3.5 million people, 7.5 terabytes of similar data for over 3 million merchants, “99 million users’ phone numbers, emails, hashed passwords, addresses, bank accounts and card details,” and “Over 40 million card details, up to 10 digits, have also been leaked with month, year and card hash data,” we had reported in March. Bipin Preet Singh, MobiKwik co-founder and CEO, said that the data could have been obtained from anywhere, and not necessarily from MobiKwik, even as the company itself said it would get a third-party forensics firm to look into the allegations.
- Journalists Seek Rs 30 Lakh In Damages From Air India For Data Leak
- Millions Of Card And KYC Details Leaked From MobiKwik Up For Sale
- Data Of 2 Crore BigBasket Users Leaked, Being Sold On Dark Web
- Data Breach At Air India Comprised 4.5 Million Customers’ Data
- Data Leak From Dominos India Affects 180 Million Users
Have something to add? Subscribe to MediaNama and post your comment