Why is it in the news?
- The news of an American cybersecurity company, Resecurity, uncovering the sale of personally identifiable information (PII) of 815 million Indian citizens on the dark web, including sensitive data like Aadhaar numbers and passport details, raises significant alarms.
- However, the specifics on how threat actors like pwn0001 and Lucius accessed this sensitive data remain undisclosed. The stolen PII can be exploited for various cybercrimes, including online-banking theft and tax fraud.
|Past Incidences of Data Breach:|
· Reports of Aadhaar data leaks surfaced in 2018, 2019, and 2022.
· Data from the PM Kisan website concerning farmers was disclosed on the dark web.
· A Telegram bot compromised personal data from the CoWIN portal.
Understanding Personally Identifiable Information (PII):
- PII is essential for identifying an individual, comprising data such as social security numbers, full names, or email addresses.
- Direct identifiers (e.g., passport information) and indirect identifiers (e.g., race, place of birth) are the two types of PII, with the former being unique to an individual and the latter requiring a combination to identify a person.
|The Magnitude of Threats (India)|
· India ranked fourth globally in malware detections in the first half of 2023.
· A substantial percentage of Indian businesses and governmental organizations reported a significant rise in disruptive cyberattacks.
Challenges Associated with PII:
- The variances in data protection regulations globally create a complex environment for organizations.
- The European Union’s General Data Protection Regulation (GDPR) sets a broad definition of personal data, complicating compliance for multinational corporations. Further, the organizational affiliations and political opinions are protected as PII under GDPR, whereas other jurisdictions might not classify these as sensitive.
- Other issues include Privacy, Data Management, and Safety Concerns.
Cyber Laws of India:
- In India, cybercrime is addressed through both the Indian Penal Code and the Information Technology Act, 2000, which cover a range of activities where computers can be both the tool and the target.
Creating Data Privacy Frameworks: Organizations are encouraged to develop frameworks that outline how PII is handled, protected, and when necessary, securely disposed of. This involves identifying PII, categorizing it based on sensitivity, and applying appropriate protections.
Minimizing PII Collection and Usage: The principle of data minimization calls for limiting PII collection and retention to what is strictly necessary, disposing of it responsibly when no longer needed.
Applying Data Security Controls: Security controls such as encryption and identity management are crucial. For example: Implementing two-factor or multifactor authentication; and Adopting a zero-trust architecture.
Tailoring Controls to Sensitivity Levels: It’s advised to apply stringent controls to sensitive data while balancing security and convenience for less sensitive data to avoid operational inefficiencies.
Adhering to Best Practices: Organizations and individuals should follow best practices in areas such as web application security, email security, wireless security, and awareness of phishing attacks.
|Indian Govt Initiatives to cope with cyber crimes|
· Indian Cyber Crime Coordination Centre (I4C): A National Centre for coordinating efforts against cyber-crimes.
· National Cyber Forensic Laboratory: Offers cyber forensic assistance to police across India.
· CyTrain Portal: Online platform providing courses on cyber-crime investigation and forensics.
· National Cyber Crime Reporting Portal: Public service for reporting cyber-crimes, focusing on offenses against women and children.
· Citizen Financial Cyber Fraud Reporting and Management System: A toll-free helpline for reporting and managing financial cyber frauds.
· Cybercrime Prevention against Women and Children (CCPWC) Scheme: Financial aid to States/UTs for improving investigation of cyber-crimes.
· Joint Cyber Coordination Teams: Teams to improve coordination among Law Enforcement Agencies on cyber-crimes with multi-jurisdictional aspects.
· Central Assistance for Modernization of Police: Funds for States/UTs to update police with modern equipment for cyber policing.