The court heard a plea filed after India’s computer emergency team reportedly failed to respond to complaints and requests to investigate the data breach.
The Delhi Supreme Court announced a petition on Aug. 13 calling for a government investigation into reported data breaches at Air India, Domino’s Pizza, BigBasket and MobiKwik. The petition was submitted by the Free Software Movement of India who made their petition available on his website. “The complaint made in this petition is that the [Indian Computer Emergency Response Team (CERT-In)] take no action qua the incidents of cyber security breaches and data leaks that have been committed by various bodies, although the petitioner has drawn attention to them, can be found in his detailed accounts, ”remarked a single judge’s bench of judge Rekha Palli. Central Government Permanent Counsel, Ajay Digpaul, asked for time to consult the government; the case will be heard next on September 23rd.
Litigation is the only option for Indians affected by data breaches. The Personal Data Protection Act, 2019, has been under scrutiny by a Joint Parliamentary Committee for almost two years; The committee has now been given until December to present its results and introduce the draft law in parliament. Without the passage of the law, India will not have a data protection agency to investigate such violations.
The government is address these violations: in parliament (e.g. by saying it will not affect bureaucrats’ email addresses) and in response to Data protection authorities in other countriesthat Air India carried out following a data breach at SITA, a contractor that handles its user data. Customers didn’t have much recourse or compensation, which resulted in two journalists filing a legal notice with the national airline demanding compensation.
CERT-In ignored requests: FSMI
The petition from Y Kiran Chandra, General Secretary of the FSMI, states that she has contacted CERT-In four times. In response to the last communication, a complaints officer from CERT-In said: “We would like to inform you that CERT-IN is aware of its responsibility and does not make any requirements [FSMI’s] Instructions for investigating data breaches as highlighted by you. The organizations named in your communications have been instructed to comply with the relevant statutory provisions. “
- CERT-In subject to action: FSMI said CERT-In was required by law to take action. “According to Section 70B of the Information Technology Act of 2000 is CERT-In” responsible for collecting and analyzing information on cyber incidents; Take contingency measures to deal with cyber security incidents; Issue guidelines, advice, vulnerability notices on security practices, procedures, prevention, response and reporting of cyber incidents; and to request information and to give instructions to service providers, intermediaries and data centers, Corporation and any other person, ”the petition reads. (Emphasis added) CERT-In’s own rules require it to respond to violations, the petition argued.
- Since there is no law, CERT-In must act: In the absence of a data protection law, it is important for CERT-In to act, the petition says. “There is currently no data protection law in India. Here is the Damaged users have no legal recourse against such violations. Hence a Investigation by CERT-In of common mass data breaches becomes important to protect user privacy“Says the petition. (Emphasis added)
- Respond to complaints and inquiries: The petition prayed that CERT-In be instructed to respond to its representations of the data breach and that “any other or further arrangement (s) that may be deemed appropriate and appropriate in the light of the facts and circumstances of the case” by the court.
What was hurt
For each of the four violations, here is the user data that has been reported to have been compromised:
- Air India: A large amount of customer data was breached at SITA PSS, a technical contractor for Air India. This included “name, date of birth, contact information, passport information, ticket information, Star Alliance and Air India frequent flyer data (but no passwords were affected) and credit card data” from 4.5 million peoplesaid Air India. Credit card details were breached, but the CVV verification codes on the cards were not, the airline said.
- Dominos Pizza: Jubilant Foodworks, which Domino’s operates in India, was hit by an injury with 180 million users the Domino’s India app or website with your “order details, names, phone numbers, emails, addresses, [and] Payment details “leaked, we reported in May. The cumulative order value of users on the Domino app and on the website was also publicly visible; the data was put up for sale.
- BigBasket: “Full names, email IDs, password hashes (potentially hashed OTPs), PIN, contact numbers (cell phone + telephone), full addresses, date of birth, location and IP addresses among other things” were violated at the food supplier. said the security company Cyble. above 20 million users were allegedly affected. BigBasket said it will investigate and hold the “perpetrators” accountable and that other user data may have been accessed.
- MobiKwik: MobiKwik has reportedly breached 36 million KYC files (such as ID card scans) belong to 3.5 million people, 7.5 terabytes of similar data for over 3 million Merchants “,99 million Phone numbers, emails, hashed passwords, addresses, bank accounts and card details of users ”and“ Over 40 million Card details, up to 10 digits, were also leaked with monthly, yearly and card hash data, ”we reported in March. MobiKwik co-founder and CEO Bipin Preet Singh said the data could have been obtained from anywhere, and not necessarily from MobiKwik, even if the company itself said it would get an outside forensics firm to investigate the allegations.
Do you have anything to add? Subscribe to MediaNama and post your comment