India becomes favourite destination for cyber criminals amid Covid-19

With pandemic disrupting businesses and with remote working becoming reality, cyber criminals have been busy exploiting vulnerabilities. Year 2020 saw one of the largest numbers of data breaches and the numbers seem to be only rising.

According to Kaspersky’s telemetry, when the world went into lockdown in March 2020, the total number of bruteforce attacks against remote desktop protocol (RDP) jumped from 93.1 million worldwide in February 2020 to 277.4 million 2020 in March—a 197 per cent increase. The numbers in India went from 1.3 million in February 2020 to 3.3 million in March 2020.  From April 2020 onward, monthly attacks never dipped below 300 million, and they reached a new high of 409 million attacks worldwide in November 2020. In July 2020, India recorded its highest number of attacks at 4.5 million. 

In February 2021—nearly one year from the start of the pandemic—there were 377.5 million brute-force attacks—a far cry from the 93.1 million witnessed at the beginning of 2020. India alone witnessed 9.04 million attacks in February 2021. The total number of attacks recorded in India during Jan & Feb 2021 was around 15 million.

A data breach, irrespective of the modus operandi, has grown many folds in India. However, the disturbing trend in India has been firms’ failure to acknowledge that a breach has happened, which then makes individual users wonder if their data is safe at all.

Take the instance of the recent data breach at the payment firm Mobikwik. It was reported that the data breach incident has affected 3.5 million users, exposing know-your-customer documents such as addresses, phone numbers, Aadhaar card, PAN cards and so on. The company, till now, has maintained that there was no such data breach. It was only after the regulator Reserve Bank of India (RBI) asked Mobikwik to get the forensic audit conducted immediately by a CERT-IN empanelled auditor and submit the report, that the company is working with requisite authorities.

Rajshekhar Rajaharia, cybersecurity researcher who first tweeted about the MobiKwik issue, and many such breaches in India said: “Most companies, small or big, accept that they have been breached, especially when evidence of a data breach comes forward. In my experience, this makes their customers trust them even more. In the case of MobiKwik, it is surprising why they are not admitting to having been breached. They have threatened legal action against cybersecurity researchers and the fact that the leaked data has now been taken off the dark net is possibly giving them a false sense of security.”

The leaked documents, posted on the dark web on Monday, claimed to have 8.2 terabytes (TB) of data. To put this in perspective, according to some estimates, one TB can hold about 500 two-hour long movies, or 250,000 photos taken with a 12MP camera or 500 hours of high definition video.

For users in India in case of data breaches they are in a fix as India does not have a specific legislation dealing with user data breach cases or penal actions relating to the same. The Personal Data Protection Bill, which is proposed to deal with such cases of data breaches, has been pending in the Lok Sabha since 2019.

“The lack of clear regulatory frameworks and policy execution impacts our country’s overall cyber hygiene. For Cybersecurity researchers who uncover breaches, policy reforms are needed as many face threats of legal prosecution without legislative protection. Enacting cybersecurity legal policies will give all stakeholders a frame of reference and guide them towards building a more resilient digital economy. Incident reporting should also be made mandatory,” said Pankit Desai, co-founder & CEO, Sequretek, an AI based cyber security firm.

Take the case of MobiKwik’s disclosure norms. The company in its privacy policy says that although we make good faith efforts to store Information in a secure operating environment that is not open to the public, you should understand that there is no such thing as complete security, and we do not guarantee that there will be no unintended disclosures of your Information. If we become aware that your Information has been disclosed in a manner not in accordance with this Privacy Policy, we will use reasonable efforts to notify you of the nature and extent of the disclosure (to the extent we know that information) as soon as reasonably possible and as permitted by law.

None of the users whose data was available on the dark web where notified of the data breach. All the data breaches mentioned in the box (Recent data breaches in India) were reported by security firms or cybersecurity researchers. None of the companies voluntarily disclosed the information, neither to their customers nor to the media.

Saurabh Sharma, Senior Security Researcher, GReAT, Kaspersky (APAC), believes that a strong legal framework for cybersecurity is much needed in India. “We may see a strong data privacy and protection law becoming a reality soon. However, it is also the moral responsibility of the organisations to keep the sensitive data of their consumers safe, with or without a strict law demanding them to do so. Data leaks due to internal vulnerabilities have become a common instance in India, especially in the last 2 years,” he said.

Sharma said that data storage and protection has turned to be a major concern for a nation like ours that strives to grow as a digital economy.

One of the reasons for the high number of data breaches is that because India with its booming startups and powerhouses is a highly attractive market for Cybercriminals. Also, as Indian companies today are financially well to do, they have a brand to worry about apart from the massive amount of personal, financial and user behavioural data that they hold. According to a recent study by Infosys-Interbrand, the potential risk in brand value of data breach to the world’s 100 most valuable brands could amount to as much as $223 billion

“The whole point of ransomware attacks has now shifted to name and shame modus operandi. Pre-Covid, hackers would just encrypt the data and ask for a ransom to hand over the decryption key to the company. But now while they encrypt the data, but before doing that, they exfiltrate the data so that they can further pressurise and threaten the company into releasing money otherwise their customer data will be sold over the dark web. Bitcoin seems to be the new fav mode of payment as it is highly secure and almost impossible to track,” said Desai of Sequretek.

According to a study by IBM Security, the average total cost of a data breach in India touched Rs 14 crore in 2020 (an increase of 9.4 per cent from last year) as the average time to contain a data breach increased from 77 to 83 days. The cost comes to Rs 5,522 for a single lost or stolen record, an increase of 10 per cent from 2019.