wordpress blog stats
Connect with us

Hi, what are you looking for?

Delhi HC issues notice on demand for CERT-In investigation into Domino’s, Air India data breaches

The court was hearing a plea that was filed after India’s computer emergency response team reportedly failed to respond to grievances and requests for an investigation into the data breaches. 

The Delhi High Court on August 13 issued notice on a petition demanding a government investigation into reported data breaches at Air India, Domino’s Pizza, BigBasket, and MobiKwik. The petition was filed by the Free Software Movement of India, which made its petition available on its website. “The grievance raised in the present petition is that the [Indian Computer Emergency Response Team (CERT-In)] is not taking any action qua the incidents of cyber security breaches and data leaks committed by various entities, despite the same being brought to its notice by the petitioner vide its detailed representations,” a single-judge bench of Justice Rekha Palli observed. Ajay Digpaul, Central Government Standing Counsel, asked for time to consult the government; the case will next be heard on September 23.

Litigation is emerging as the only recourse for Indians affected by data breaches. The Personal Data Protection Bill, 2019 has been under examination by a Joint Parliamentary Committee for almost two years; the committee has now obtained an extension till December to present its findings, and to introduce the bill in Parliament. Without the bill being passed, India won’t have a Data Protection Authority that can look into breaches like these.

The government is addressing these breaches: in Parliament, (such as by saying they didn’t affect bureaucrats’ email addresses) and in response to other countries’ data protection authorities, which Air India has been doing in the aftermath of a data breach at SITA, a contractor that handled its user data. Customers haven’t had much recourse or compensation, leading to two journalists filing a legal notice to the national air carrier demanding damages.

CERT-In ignored requests: FSMI

The petition by Y Kiran Chandra, the Secretary-General of the FSMI, said that it had reached out to CERT-In on four occasions. In response to the last communication, a grievance officer with CERT-In said “We would like to inform you that CERT-IN is aware of its responsibilities and does not require [FSMI’s] directions to investigate data breaches as highlighted by you. Organizations named in your notices have been directed to comply with the relevant provisions of law.”

Advertisement. Scroll to continue reading.
  • CERT-In obligated to take action: FSMI said that CERT-In was obligated by law to take action. “under Section 70B of the Information Technology Act, 2000, CERT-In is responsible for collecting and analysing information on cyber incidents; take emergency measures for handling cyber security incidents; issue guidelines, advisories, vulnerability notes on security practices, procedures, prevention, response and reporting of cyber incidents; and to call for information and give directions to the service providers, intermediaries, data centres, body corporate and any other person,” the petition said. (emphasis ours) CERT-In’s own rules require it to respond to breaches, the petition argued.
  • Since there is no law, CERT-In needs to act: In the absence of a data protection bill, it was important for CERT-In to act, the petition said. “There is no law governing data protection in India as of now. Thereby, the aggrieved users do not have any legislative recourse against such breaches. Therefore, an investigation by CERT-In on frequent data breaches at mass level becomes important to safeguard the privacy of users,” the petition said.  (emphasis ours)
  • Respond to grievances and requests for investigation: The petition prayed that CERT-In be ordered to respond to its representations on the data breaches, and that “such other or further order(s) as may be deemed fit and proper in facts and circumstances of the present case” be passed by the court.

What was breached

In each of the four breaches, here’s the user data that was reportedly compromised:

  • Air India: SITA PSS, a tech contractor for Air India, had a large amount of customer data breached. This included “name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data” of 4.5 million people, Air India said. Credit card details were breached, but the CVV verification codes on cards weren’t, the airline said.
  • Domino’s Pizza: Jubilant Foodworks, which runs Domino’s in India, was hit with a breach, with 180 million users of the Domino’s India app or website having their “order details, names, phone numbers, emails, addresses, [and] payment details” leaked, we had reported in May. Users’ cumulative order value on the Domino’s app and website were also visible publicly; the data was put up for sale.
  • BigBasket: The grocery delivery player had “full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others” breached, security firm Cyble said. Over 20 million users were reportedly impacted. BigBasket said it would investigate and hold the “culprits” accountable, and that other user data may have been accessed.
  • MobiKwik: MobiKwik reportedly saw a breach of 36 million KYC files (like scans of identity cards) belonging to 3.5 million people, 7.5 terabytes of similar data for over 3 million merchants, “99 million users’ phone numbers, emails, hashed passwords, addresses, bank accounts and card details,” and “Over 40 million card details, up to 10 digits, have also been leaked with month, year and card hash data,” we had reported in March. Bipin Preet Singh, MobiKwik co-founder and CEO, said that the data could have been obtained from anywhere, and not necessarily from MobiKwik, even as the company itself said it would get a third-party forensics firm to look into the allegations.

Also read

Have something to add? Subscribe to MediaNama and post your comment

Written By

I cover the digital content ecosystem and telecom for MediaNama.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Do we have an enabling system for the National Data Governance Framework Policy (NDGFP) aiming to create an repository of non-personal data?


A viewpoint on why the regulation of cryptocurrencies and crypto exchnages under 2019's E-Commerce Rules puts it in a 'grey area'


India's IT Rules mandate a GAC to address user 'grievances' , but is re-instatement of content removed by a platform a power it should...


There is a need for reconceptualizing personal, non-personal data and the concept of privacy itself for regulators to effectively protect data


Existing consumer protection regulations are not sufficient to cover the extent of protection that a crypto-investor would require.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ