Last month, a site on the dark web claimed to have 8.2 terabytes of user data from the Indian mobile payments startup MobiKwik, one of the largest operators in the country that over 120 million people use for everything from buying eggs to paying rent. The data breach included phone numbers, email addresses, signatures, transaction logs, partial payment card numbers, scrambled passwords, and personal identification documents of around 100 million MobiKwik users, all available in a searchable database. The asking price for the data in its entirety was 1.5 bitcoin, or about $88,000.
The MobiKwik case is possibly the biggest breach in India, but it is far from the first, and until Indian lawmakers and regulators prioritize the digital safety of an increasingly online Indian consumer base, it won’t be the last.
In January this year, a data leak on the payment platform Juspay came to light, where over 100 million users’ debit and credit card details were compromised. Late last year, the leaked personal information, including names, email addresses, password hashes, contact numbers, and addresses of 20 million customers of the online grocery store BigBasket was up for sale on the dark web. In 2018 and 2019, the health care records of 6.8 million Indians were stolen by hackers. In 2019, an unprotected server at the State Bank of India, India’s largest bank, exposed the financial information of millions of customers, including bank balances and recent transactions.
The list is impossibly long. India’s Computer Emergency and Response Team estimates that there were 1.45 million cybersecurity breaches and hacks in India from 2015 to 2020. And the breaches are increasing every year. Between 2017 and 2018, the number of incidents jumped nearly fourfold. In the first eight months of 2020, there were already 696,938 incidents reported cybersecurity incidents. Around 90 central and state government websites also suffered from hacks and breaches in 2019–20 alone.
The spiraling of security incidents coincides with India’s increasing adoption of digital payments, particularly since the demonetization of November 2016. The move toward digital payments is the result of a concerted push by the government to encourage cashless transactions by offering incentives and concessions for Indians willing to forego cash. In a few short years, payment platforms, mobile wallets, and other consumer software have proliferated, making it easier to pay without using cash and, often, without a debit or credit card.
Simultaneously, the Indian government has pressed residents to adopt the digital ID system called Aadhaar, a unique 12-digit number tied to a citizen’s fingerprints and retinal scans, now the world’s largest biometric identification system. Though it was intended as a tool to weed out illegal subsidy transfers and cut down on corruption, the Aadhaar database has continued to add more information on nearly 1 billion Indians, linked to their banking and payment-related accounts, income tax details, property ownership information, and more. Despite the sensitive nature of the data, it remains a largely unregulated and unsecured database.
In a November 2020 report, the Internet Freedom Foundation, an independent digital liberties organization focusing on free speech, digital surveillance, and privacy, found that Aadhaar data was being sold online from “a mixture of overt hacks and unprotected servers or leaky government websites.” In 2019, the Jharkhand government’s website displayed the Aadhaar details of around 100,000 government workers.
Now, the coronavirus pandemic has shifted Indian work, entertainment, and education online without relevant laws, regulations, and frameworks to safeguard data. Existing laws in India are inadequate for the present-day realities of digital systems and online payments. The Personal Data Protection bill, a law that would establish rules and regulation for how private companies manage the personal data of their users, has been pending in Parliament since 2019. Without it, Indian users have few safeguards when it comes to their data rights.
Rohin Garg of the Internet Freedom Foundation told Rest of World that many databases are insecure “at a fundamental architectural level.” Every Indian institution, from private companies to public sector banks, is at risk of a data breach or hack.
In India’s weak regulatory environment, MobiKwik was able to deny the breach for over a month — until it couldn’t. At the time of publication, even as the Reserve Bank of India has ordered a forensic audit of its platform, MobiKwik still claims its systems are secure.
But according to Garg, the proposed data protection laws as they are currently drafted do not address the crucial gap in consumer data safety. “For example, the bill does not mandate notifying affected users in case of a breach,” he said. “Another big issue is the lack of legal protection for cyber security researchers — as can be seen in the MobiKwik incident. All of this leads to the conclusion that not only is a data protection bill needed but a robust one that adequately secures the digital rights of users.”
Despite the glaring gaps in consumer safety, India is among the fastest digitizing nations in the world. Statistics, however, tend to ignore the digital divide due to socioeconomic realities and low digital literacy rates. While the former excludes millions without a smartphone, the latter forces those with little to no understanding of digital platforms to adopt them for crucial transactions, financial and otherwise. Only robust data laws will stem the relentless series of cybersecurity incidents and empower citizens with data rights.