By Advocate Rishabh Kumar
Published on: 27 September 2023 at 11:10 IST
There is an eminent threat to our digital ecosystem that has been looming over our head that is cyber-attacks and Data breaches. In an era dominated by digital information and interconnected systems, the specter of data breaches is posing a significant threat to individuals and organizations alike.
A data breach is characterized by unauthorized access to sensitive information that has emerged as a distinct form of cyberattack, giving rise to pressing concerns regarding data privacy and security.
With the release of our latest Digital Personal Data Protection, Act 2023 (DPDP Act), we have armored ourselves against the Social engineers that have been rampant for quiet sometime now, with phishing emails, or text messages claiming to give money or reward. In this article, we will be comprehensively discussing regarding what is data breaches and its intricacies and present ways to protect your data from data breach.
What is Data Breach?
A data breach involves unauthorized access to sensitive information, and it is distinct from other cyberattacks. This breach can include personal and corporate data. Governments have imposed obligations on organizations to protect against cyber threats and report incidents. Compliance with cybersecurity and data breach reporting laws is now essential for most organizations, often involving multiple states and regulators.
While The Digital Personal Data Protection Act, 2023 (DPDP Act) does not define Data Breach, it defines personal data breach as;
“personal data breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
Rightly stating, not all data breaches are cyberattacks nor all cyberattacks are data breach.
The global average cost of a data breach in 2022 was USD 4.35 million, with the United States experiencing an average cost of USD 9.44 million. Organizations across different sectors and sizes are susceptible to data breaches, with severe consequences, particularly in healthcare, finance, and the public sector, due to the nature of the data they handle.
Need to Prevent Data Breach
Data breach costs stem from factors like lost business, expenses related to detecting and containing breaches, and post-breach costs, including fines and legal fees. Compliance with data breach reporting laws is essential, with different regulations in place at the state and Central levels.
“Personal data” means any data about an individual who is identifiable by or in relation to such data. Protecting personal data is a right under the constitution of India and now under DPDP Act., as when an organization faces data breach, the personal data of their customers are widely speeded which eventually leads to decreasing customer loyalty.
Data be it corporate or private, everyone wants to protect their data from being misused. A company would not want its competitors getting hold of their business strategies. Neither would a private individual wants his browser history to be transmitted for targeted advertisements.
How Data Breach happens?
Data breaches can result from innocent mistakes, malicious insiders, or external hackers, primarily driven for financial gain. These breaches can involve stealing financial information, personally identifiable information, or trade secrets. Some breaches are purely destructive, aiming to damage an organization.
Data breaches typically follow a pattern involving research, attack, and data compromise, with various attack vectors, including stolen credentials, social engineering, ransomware, system vulnerabilities, SQL injection, human errors, compromised credentials and physical security lapses.
Notable data breaches from companies like Dominos, Yahoo, Equifax, SolarWinds, and Colonial Pipeline demonstrate the variety of causes and associated concerns that arises with respect to data breach.
Research: The hacker looks for a target in a compromised system, they look for a weakness or weak point to exploit. They may buy previously stolen data or try a malware attack.
Attack: After identifying a target and preparing the requisite modus operandi (MO). The hacker attacks direct to exploit the weakness. Be it a social engineering campaign, stolen credentials or any other vector.
Compromise Data: After compromising the system, the hacker may either initiate a ransomware, lock, destroy or sell the data.
Data Breach in India
The average cost of a data breach in India reached an all-time high of Rs 17.9 crore in 2023, marking a nearly 28 percent increase since 2020, according to the IBM Security report. Phishing attacks were the most common type in India (22 percent), followed by stolen or compromised credentials (16 percent). Social engineering was the costliest root cause of breaches at Rs 19.1 crore, followed by malicious insider threats at nearly Rs 18.8 crore.
Detection and escalation costs increased by 45 percent over the same period, representing the highest portion of breach costs and indicating a shift towards more complex breach investigations.
Artificial Intelligence (AI) and automation played a significant role in increasing the data breach identification and containment for organizations. However, about 80% of studied organizations in India had limited (37%) or no use (43%) of AI and automation.
Globally, the report found that businesses were divided in how they planned to handle the increasing cost and frequency of data breaches. While 95% of organizations studied globally had experienced more than one breach, they were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).
In India, 28%t of data breaches resulted in the loss of data across multiple types of environments, indicating that attackers were able to compromise various environments while avoiding detection. Data breaches involving multiple environments had the highest associated breach costs (Rs 18.8 crore) and took the longest to identify and contain (327 days). Organizations in India that extensively used AI and automation experienced a significantly shorter data breach lifecycle compared to those that did not (225 days versus 378 days), resulting in nearly Rs 9.5 crore lower breach costs, making it the most significant cost-saving factor identified in the report.
Recent Data Breaches in India
- Military Data Breach 23rd March 2023
A major data breach with significant implications for national security has been uncovered by the Cyber Police. They arrested seven individuals allegedly involved in stealing and selling sensitive data from government agencies, including details of defense personnel, as well as personal and confidential information of approximately 16.8 crore citizens.
The accused were selling data related to various sectors, such as Energy and Power, PAN card data, government employees, Gas and Petroleum, High Net-worth Individuals (HNIs), demat accounts, student databases, women databases, loan and insurance applicants, and private bank credit and debit card holders, among others.
The data breach was discovered following a complaint to Cyber Police, and investigations are ongoing to determine how cybercriminals gained access to the data. The stolen information could be used for unauthorized access to important organizations, financial fraud, and various cybercrimes, raising significant concerns about data security and national security.
- 2. Dominos Data Breach – 24th March 2021
The day when Dominos compromised with data of millions of its customers. Dominos faced allegations for accusations of leak of payment and card details which the company denied. The company did officially notify the costumers of the leak to forewarn them.
13 TB worth of data was stolen by this attack, the hackers claimed to sell the data to anyone willing to pay 10 bitcoins.
Laws Governing Data Breach in India
Article 21 grants every Indian citizen the fundamental right to personal liberty which includes right to privacy and private data. This right has been the basis for Information Technology Act, 2000 (IT Act) vide Section 66E that deals with punishment for violation of privacy.
Protection of databases is provided under the Copyright Act, 1957 (Copyright Act) along with IT Act for protection of data with penal provisions for compensation. Violation of which will lead to same deterrents in respect of person divulging the data without express consent.
Section 8 (5) of the DPDP, imposes Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.
In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
Current penalties for data breach under IPC is Section 420 Cheating, IPC section 406 Criminal breach of Trust and Breach of Contract.
Section 42 of IT Act imposes 10 million INR fine for downloading of data without consent, and 10 million for introducing virus into a computer system/computer.
Under the DPDP Act, 2023; Failure to prevent a personal data breach incorporates the penalty up to 250cr and failure to notify the breach to the data principals up to 200cr.
How to Prevent Data Breaches?
If organizations are not aware of the risks associated with cybercrime it can be costly and damaging. Motivating and making them realize the need for data securitization is of first going concern. For organizational data protection you can implement these practices: –
Preventing and mitigating data breaches involves implementing security measures such as incident response plans, AI and automation, employee training, identity and access management (IAM), and adopting a zero-trust security approach. These measures help organizations detect, respond to, and mitigate the impact of data breaches, protecting sensitive data and reducing breach-related costs.
Incident response plans (IRP)
IRP of an organization is a blueprint for detecting, containing and eradicating cyberthreats—is one of the most effective ways to mitigate the damage of a data breach. incident response teams have an average data breach cost of USD 3.26 million—USD 2.66 million less than the average cost of a data breach for organizations without incident response teams and plans.
AI and automation
AI and digital access restrictions play a vital role in todays world to secure data. Use of technology such as SOAR (security orchestration, automation and response), UEBA (user and entity behavior analytics), EDR (endpoint detection and response) and XDR (extended detection and response) leverage AI and advanced analytics to identify threats early.
Social engineering and phishing attacks are leading causes of breaches, training employees to recognize and avoid these attacks can reduce a company’s risk of a data breach. In addition, training employees to handle data properly can help prevent accidental data breaches and data leaks.
Identity and access Management
Segregate the employees on the basis of their access level, this helps to create a roadmap and identify the breaching point. The more critical the data is, the more confidential or higher up the access will be. ensure to differentiate access points and vault systems with an encoder and private passkeys with time stamp on access timeline.
Keep all software and systems up to date with security patches to Implement a regular patch management process.
Encrypt sensitive data at rest and in transit. Use encryption protocols like SSL/TLS for data in transit and encryption algorithms like AES for data at rest.
In a rapidly evolving digital landscape, vigilance and preparedness against data breaches are paramount. By understanding the intricacies of data breaches and implementing proactive measures, individuals and organizations can navigate this complex terrain and safeguard their most sensitive information. Remember, in the digital age, data security is not just a choice but a fundamental necessity.