Launching CyberSec Charcha: IFF's monthly digital security update!

We are launching CyberSec Charcha, a free, monthly cyber security newsletter with a round up of the latest developments in digital security. Sign up today!

22 April, 2021
5 min read

Tl;dr:

With cyber threats on the rise, we are trying out something new. It is a cyber security newsletter with a round up of the latest developments in the domain of digital security. The goal of this monthly newsletter is to open a conversation about the digital security crisis India has been undergoing for a few years now and understand why this is an important issue for you to actively start engaging with. Every month I will try to sum up the key cybersec updates you should know about on a national and international scale. If there is something you think I should cover next month, drop me a line at: [email protected]. I’m listening!

For the first edition of this newsletter, I will cover something that has been in the news for a while now, i.e. the most recent data breaches that have accessed the personal data of millions of Indian users and what that means for us.

But first, what do I mean by a digital security crisis/es?

Consider the following:

  • On February 3, 2021, multiple reports suggested that the data of 2.5 Million Airtel users was compromised in a breach. The leaked data included Airtel customers’ names, phone numbers, DOBs, addresses and Aadhar numbers. Airtel denied that any such breach had occurred and alleged that the data didn’t belong to Airtel customers. However, independent researchers were able to confirm that the leaked data indeed belonged to Airtel subscribers. Their users were not informed of this breach.
  • On February 26, 2021 an Indian internet security researcher by the name of Rajshekhar Rajaharia put out a tweet that a massive data breach had put the data of 11 Crore Indian users on sale on the darkweb, allegedly from a company’s server in India. According to the tweet, the KYC details of users were leaked during the breach which included information about their PAN, Aadhar, etc. A little over a month later, on March 29, 2021 news broke that this was the data of Mobikwik’s users. Mobikwik denied any wrongdoing and blamed their users instead. Here’s a useful read if you want to learn about this breach in detail. Mobikwik’s users were also not informed of this breach.
  • In early 2020, a vulnerability that enabled seeing the phone number linked to every Facebook account was exploited, creating a database containing the information of 533m users across countries. On April 3, 2021 it was reported that the data was leaked for free to the world. Security researchers revealed that the personal data of 50+ crore Facebook users was breached, including over 60 Lakh Indian Facebook users. The leaked data includes information of users such as phone numbers, Facebook ID, location, past locations, birthdate, email address and relationship status. Facebook claimed that the data was from 2019 and they had fixed the issue. Their story has a lot of holes but the important thing to note is that regardless of when the breach occurred, Facebook did not inform its users about it.

This isn’t the first time companies have denied a data breach. In fact, many have gone to great lengths to cover up such security incidents. Moreover, these are only a few recent, handpicked instances. Ponemon’s Cost Of A Data Breach Report 2020 (commissioned by IBM) studied breaches in 17 countries (including India). They found a lot of things but here are some of their key findings that might be of interest to you:

Data from Ponemon’s Cost Of A Data Breach Report 2020

According to the bar chart above, Customer PII (Personally Identifiable Information) was the type of most often lost or stolen in breaches. This is exactly the kind of data that was leaked in the aforementioned Mobikwik and Airtel breaches. Whereas, these instances highlight a pattern of impunity with which these companies function, it is also just the tip of the iceberg. Prioritising digital security must become a part of companies and organizations’ formal policies. In a report by Accenture in 2019, (again, by Ponemon and commissioned by Accenture) that studied the Cost of Cybercrime put this across really well:

Increases in phishing, ransomware and malicious insider attacks mean that greater emphasis needs to be on nurturing a security-first culture. Accountability is key. Training and education are essential to reinforce safe behaviours, both for people within the organization and across the entire business ecosystem.

So, is there nothing we can do?

Yes there is! There’s plenty we can do on our own personal level that will really help amp up your digital security and safeguard you from quite a few, if not all, cybersecurity threats! The goal of today’s post is quite simply to disseminate information and hopefully provide you with some helpful advice on how you can regain control if your PII has been leaked in a breach.

  • Step 1: Firstly, find out if you’re amongst the millions of people who’ve had their email or phone information stolen at some point, in some data breach. If the answer is yes, and it will be for 90% of people, please change your passwords everywhere. A much better option here would be to opt for a passphrase instead of a password since they can be much harder to crack.  
  • Step 2: If you use the same password or passphrase everywhere, change them everywhere and set a completely different one for each service (avoid reusing your passwords!). This is helpful because even if your password has been compromised, it still can’t be used by anyone to gain access to your accounts if you’ve already changed your password everywhere. And a really easy way to manage your passwords for different services without having to remember them is to use a password manager. The best passwords are the ones you don’t remember!
  • Step 3: Lastly, please set complex passwords and passphrases. You can’t fight big tech and other malicious actors if your password is 12345678. There’s a lot more you can do and we’ll cover a few digisec dos and don'ts as a part of each of these blog posts / newsletters.

Amping up your everyday digital hygiene is at the core of protecting your data. Oftentimes, these concepts are accessible only by people who are comfortable using and interacting with technology in their daily lives. In order to bridge that gap, we’ve also started making digital security videos in Hindi, in an attempt to make these concepts reach a more diverse audience. If you have any ideas on how we can do a better job at reaching more people, please reach out to us. We aim to listen, learn and grow! As a parting gift, here’s an interesting listen about why you should NEVER post your boarding pass on Instagram. Let’s aim to learn from Tony Abbott’s mistakes, the bar is really not that high.

If you like the work IFF has been doing, please consider making a contribution towards our work. We are fully funded by Indians like YOU and it’s only because of your support that we can continue doing this work. Spread the word!



Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

1
Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

2
Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

3
IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!