Tens of millions of users impacted. Yet, there’s no action. Most consumer tech companies would give their right arm to have 100 Mn users like Mobikwik, which is why the lack of any sort of repercussions is shocking. Mobikwik is of course not the only culpable startup in India.
Some of the largest fast-growing consumer internet startups in India are not built just with venture capital and private equity funds but using data. How they store this data — sensitive and personally identifiable customer data in most cases — is a hot topic of debate these days. While the data of millions of Indian internet users has helped tech startups achieve scale and introduce some degree of personalisation in their services and products, is the trade-off worth it — given the spate of leaks and breaches from these platforms.
The role of (personal) customer data in building billion-dollar firms (unicorns) may not be visible to the consumer themselves. But in the last decade (2010-2020) alone, Indian startups alone have stored and processed the data and records of hundreds of billions of users cumulatively, without much regulatory oversight — just ten platforms the size of Mobikwik gives us a billion users overall.
One estimate from management consulting firm Deloitte estimates that internet traffic in India is expected to increase four-fold from 21 exabytes in 2016 (1 exabyte = 1 Mn terabytes) to an estimated 78 exabytes in 2021.
However, as a global pandemic swept through the world, Indian companies have become more vulnerable to cyberattacks and data breaches and many of the top tech startups have fallen victims. Recently a slew of data breaches uncovered in India’s startup ecosystem has set alarm bells ringing among regulators and government agencies. Like Mobikwik in March 2021 — around 100 Mn users are said to be affected in the data breach, prompting public outcry and hints of regulatory intervention from the RBI. However, what surprised most observers was the staunch denial of responsibility from the fintech firm. And beyond the two days of furore, there’s seemingly no action being taken against Mobikwik.
Given that India lacks a comprehensive data protection act, which has been stuck in limbo for more than three years, Mobikwik and others before it have been able to deny responsibility and skip any legal repercussions. In the last five years alone, more than two dozen consumer tech startups have either directly or indirectly exposed personal and non-personal data of billions of customers cumulatively. Startups in hyperlocal delivery, fintech, edtech, mobility, and content streaming were the worst affected. And we are not even covering the likes of Twitter and Facebook, which have also been impacted on several occasions, or indeed the more than a dozen cases of Aadhaar-related data leaks.
Given the large swathe of the market these companies and leaks cover, chances are that personal data of pretty much every Indian internet user is already lurking in the public, and may also have made it to the wrong hands.
But beyond just trying to understand why there is an increasing number of breaches in the tech ecosystem in India, the moot question is this: In all the instances of publicly known data breaches, were the consumers or customers informed by the company involved?
Unless the company is publicly listed, organisations are not mandated to disclose instances of data breach to the public or govt agencies. Hence independent security researchers and white hat hackers are at the forefront of discovering and reporting breaches to the public, sometimes before the patches are even rolled out. In fact, security researchers and white hat hackers are filling the void that the Personal Data Protection Bill was supposed to fill in.
Data Protection Goes For A Toss With Indian Startups
Independent cybersecurity researcher Rajshekhar Rajaharia has been at the forefront of this wave of private and independent disclosures and reporting. He was the first one who spotted the MobiKwik breach in early March and informed the company, only for his attempts to be rebuffed. He told Inc42 that around 80-85% of the known data breaches among tech firms come from unsecured databases. While the rest of the breaches data are exposed via fault APIs (application programming interfaces) and directed phishing attacks through which hackers can gain access to the main servers and storage spaces.
The majority of the fast-growing startups in India utilise cloud computing services from the likes of Amazon Web Services, Microsoft Azure, and others for data storage and processing. They depend on the cloud for hosting front-end and critical infrastructure, for efficiencies in storing and processing the huge amount of data on a real-time basis and reduce maintenance costs associated with on-premise systems.
Presently, services like Google Cloud and AWS charge companies just over $1 for every 50GB of data, which translates to $0.010-$0.020 per GB. Compare this to hard disks, storage cost per GB would be anywhere around $0.030-$0.050 per GB. And we are not even accounting for the costs associated with setting up server rooms and other overheads. Of course, moving critical data to the cloud is not without its perils as improperly storing this data makes it vulnerable to attacks.
“In the last 6-8 months, the majority of the tech firms who faced data leaks were affected due to exposed AWS (access) keys which allowed hackers to gain access to the root (admin) server. Apart from this unsecured and faulty API calls inside the app runtime also allow hackers to compromise a company’s servers,” adds Rajaharia.
In late 2019, Ehraz Ahmed, a Bengaluru-based cybersecurity researcher disclosed data breaches from four tech startups including beauty marketplace unicorn Nykaa, Bounce, Pepperfry, and Justdial which affected more than 200 Mn customers. All of them were found to be using unsecured APIs which could have allowed hackers and cybercriminals to gain access to millions of user data. For the uninitiated, APIs are pieces of code that allow an application to communicate with databases and fetch information within the application environment.
The API flaws detected by Ahmed, showcased how potential attackers could log into platforms using mere knowledge of the user’s email ID alone. Once the user ID is hijacked, sensitive information could be stolen and sold over the dark web–the black market equivalent of the Internet. In fact, in the case of MobiKwk’s data breach, the entire database worth 8.2TB was on sale on the dark web.
Raja Ukil, SVP and global head at San Francisco-based cybersecurity solutions provider ColorTokens told Inc42 that hackers target companies for various different reasons and although the motive isn’t always known, hackers these days are in fact trying to monetise on breached data they acquire. ColorTokens works with companies in priority sectors such as healthcare, financial and banking, and law firms. Ukil has prior experience in dealing with major attacks from his time at software major Wipro where he was the SVP for cybersecurity and risk services. In 2019, Ukil oversaw the company’s response to a major ransomware attack and helped in the recovery.
“Earlier, cyberattacks on corporates and large organisations were distinctly focused on infiltrating and demanding a ransom (ransomware attacks similar to Wannacry). Nowadays, the same ransomware attackers also take out the data and sell it on the dark web. So the only way to guard against such attacks is by building a continuous cybersecurity interface that can detect and block unauthorized access in real-time,” added Ukil.
Criticising small and medium scale startups for not having a stringent cybersecurity environment isn’t enough to fix the state of data protection among the ecosystem. Activists, cybersecurity experts, and lawyers that Inc42 spoke to pointed out that the Indian government’s lax attitude when it comes to protecting citizen data and privacy has been a major contributor to companies refusing to follow basic disclosure practices in the event of leaks or breaches. As tech startups continue to remain unchecked without any pecuniary penalties for leaking user data, safeguarding sensitive data will continue to remain a challenge.
A Culture Of Non-Disclosure
Currently, the only far-reaching legislation that looks into data protection is built into the Information Technology Act, 2000 (IT Act). The IT Act serves as the only safeguard against data breaches with penalties and criminalisation of companies who don’t take adequate measures to protect user data. The IT Act was also amended in 2011 with additional safeguards for “reasonable security practices and procedures” to be followed by companies who handle sensitive personal data (IT Rules, 2011). The amendment also introduces a new set of penalties and criminalisation of companies found to violate the privacy of its customers.
But there are gaping holes in both legislations as many companies vehemently deny data leaks in public, and even fail to notify government agencies. Currently, businesses are expected to report all cybersecurity vulnerabilities and data breaches to the Computer Emergency Response Team (CERT-In), an arm of the IT ministry, but such notices are not mandatory.
Dr. Pawan Duggal, a Supreme Court advocate who specialises in cybersecurity, told Inc42 that although these acts have stipulated the terms for penalising companies not complying with safeguarding privacy, the sections cannot be invoked without affected parties (in this case, customers) going to court against the company. But since most organisations don’t publicly disclose data leaks fearing repercussions, their customers too remain unaware until the whistle is blown by an independent security researcher or a bug bounty hunter.
“Since we don’t have a cybersecurity regulator or a data protection regulator, all existing legislation under the IT Act 2000, and IT Rules 2011 are not fully enforceable and remain only as a guideline. So if an organisation’s data is breached, then either its clients or customers can go to court and seek unlimited damages by way of compensation under the IT Act,” adds Duggal.
The culture of non-disclosure is also harming a key dynamic within the Indian tech industry — the work of independent researchers is not being welcomed by the companies as it has been in the west. Tech companies everywhere have bug bounty programmes that incentivise the discovery of vulnerabilities and holes in the tech infrastructure. This is not generally seen as a challenge to the information security community, but as a way to work with them and create robust platforms. But in India, bug bounty programmes have been used to silence private or public disclosures of bugs and vulnerabilities.
Not only do Indian companies pay about INR 1,000 to INR 2,000 for bug bounties – in comparison to $100 Mn that US companies paid out according to a September 2020 report.
At least two security researchers that Inc42 spoke with point out that although most consumer Internet startups in India have dedicated bug bounty programmes, besides the low payouts, the researcher themselves could get into trouble for not meeting arbitrary terms and conditions.
Rajaharia said that most Indian tech startups specifically design their bounty programmes to quash evidence after initially collecting it from a security researcher. Given that there’s no law governing disclosures, Indian companies can simply pay off bounty hunters and cover up the leaks.
“Some of the terms and conditions of bug bounty programs offered by (Indian) tech startups requires the researcher to refrain from disclosing the vulnerability in the public domain, failing to which they (startups) can sue researchers for defamation…So whenever I report a bug to Indian startups, I do not go through their bug bounty program, I instead simply mail the founders directly,” adds Rajaharia.
Coming To Terms With Privacy
According to CERT-In, which maintains a database of vulnerabilities and data leaks, India had around 26,100 instances of cyber-attacks in 2020 alone, which is up from around 24,768 instances in 2019. The agency, however, does not disclose names and details of the organisations that have faced these attacks, because it isn’t empowered under the legislation. This is expected to change if and when the Personal Data Protection Bill gets enacted. Legal experts told Inc42 that under the upcoming bill, both the company or organisation and the security researcher can independently report breaches to CERT-In or other empowered government agencies.
As multiple Indian startups gear up to go public, their level of data security compliance will depend on the geography it chooses to list in. Indian startups choosing to list in the US will have to follow strict cybersecurity audits and even comply with the Federal Trade Commission’s (FTC) privacy regulations, which had earlier fined Uber and Facebook for data security breaches and lapses in privacy. One of FTC’s landmark cases includes a whopping $5Bn fine imposed on Facebook in the aftermath of the Cambridge Analytica scandal.
In India, however, no such norms would apply, and startups going public in India are likely to get away with sub-par data security practices. But this could likely change, point out lawyers and cybersecurity experts. Mobikwik, which is an IPO candidate by its own declaration, is currently being audited by RBI, which experts believe could set a precedent for other regulators as well.
Duggal, the SC lawyer, said that financial regulators like SEBI will have to change their approach when it comes to tech startups. “Cybersecurity shouldn’t be just one box to be ticked when you are going public, it should be crucial compliance for all kinds of listed companies, and those looking to go public as well. SEBI will have to start mandating a minimum standard compliance check as an essential parameter before companies can get listed.”
While most emerging tech startups may see data security as another compliance cost, the numerous revelations of data leaks from the likes of MobiKwik, Juspay, and Upstox in the past few weeks have certainly raised doubts among consumers.
Twitter is already flush with comments from concerned Internet users especially after Mobikwik CEO Bipin Preet Singh denied even a possibility of breach on the company’s systems despite evidence shared in public by security researchers. He also seemingly shifted the blame on the users.
Globally, one of the most devastating data breaches took place in September 2017 when credit resting firms Equifax announced a leak that affected more than 147 Mn users. Equifax, which stores and processes highly sensitive information related to a user’s financial behaviour, eventually ended up spending a whopping $439 Mn in legal fees and compensation, according to a report by Reuters.
However, when it comes to the Indian context, experts argue that a hefty penalty would in fact be a deterrent to ensuring security of consumer data. According to ColorTokens’ Ukil, penalties alone will not work in ensuring data security standards are met, because the law should first encourage companies to disclose instances of a breach without facing punitive action. “A penalty is definitely warranted if there is enough evidence to prove that the company hid the information after knowing it.,” he adds.
Hence until a broad privacy legislation is enacted, tech startups in India are told they should choose ethics over revenue, transparent public disclosure rather than covering up, and protection of consumer data over their own reputation. But given the toothlessness of the law in its present state and the lackadaisical attitude of the government in its own security, this is merely a suggestion and not even a strong one at that.