[BreachExchange] An Indian carrier’s data leak highlights the need for privacy laws in the country

Mon Jul 17 20:45:42 EDT 2017

https://theindianeconomist.com/need-for-privacy-laws-country/

Earlier this week, an unknown entity published personal details of
subscribers to Reliance Jio, a mobile carrier based in India. The data was
available through a search engine and included people’s names, phone
numbers, and email addresses. And while tech news outlet Medianama confirms
that some of the information was legitimate, Jio said in a statement that
it believes the leaked material is ‘unauthentic.’

It’s worth noting that the information included a field for users’ Aadhaar
numbers, the unique identification number issued by the government to more
than 80 percent of Indian citizens so they can do things like apply for
subsidised rations, renew their passports and subscribe to Jio’s service.
These numbers were redacted on the site, but it’s possible that the hackers
may have them.

https://twitter.com/amit_meena/status/884029216957837316

Twitter user Amit Meena is likely to have been the first to spot the site,
magicapk.com. It’s unclear as to how many users’ details were leaked;
FoneArena claimed that the database spanned 120 million users, but Deccan
Chronicle noted last month that the carrier only had about 112 million
subscribers.

The identity of the publisher of this database, as well as the owner of the
domain and their intentions with this leak, remain unknown. All we do know
is that there’s a weak spot in Jio’s data management process and that
there’s precious little customers can do to protect themselves.

That’s because India doesn’t have strong privacy laws in place to hold
companies accountable for leaked or stolen data, and to require them to use
powerful encryption for sensitive information like customers’ details.
People can’t even take Jio to court over the leaked data which was acquired
by the carrier through the Aadhaar-based KYC system, as it’s the Unique
Identification Authority of India (UIDAI) that holds the right to their
personal information in that database. And right now, the UIDAI believes
there’s no reason to be alarmed.

As The Hindustan Times pointed out in January, the few existing
legislations that pertain to privacy in India are piecemeal at best and
don’t serve to protect citizens adequately in case of a leak like this one,
or like several others that previously affected major companies like
Zomato, Ola and McDonald’s India.

Magicapk.com has already gone down in a matter of days, but it’s possible
that the entity behind the leak might sell the data on the Dark Web, and
that others may have scraped information from the site with malicious
intentions. Meanwhile, many Jio users remain at risk of identity theft, and
the carrier remains dismissive of the threat:

"We have come across the unverified and unsubstantiated claims of the
website and are investigating it. Prima facie, the data appears to be
unauthentic. We want to assure our subscribers that their data is safe and
maintained with highest security. Data is only shared with authorities as
per their requirement. We have informed law enforcement agencies about the
claims of the website and will follow through to ensure strict action is
taken."

So when will India get a privacy law? In May 2016, the minister for
communications and information technology, Ravi Shankar Prasad, said that
legislation was in the works, but didn’t provide a timeline. It’s been a
year, and we haven’t seen anything concrete yet. With a fast-growing
internet and mobile user base, and with global cyber crime on the rise,
India would do well to prepare itself to deal with untoward incidents that
could affect its massive population.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170717/83947194/attachment.html>