Topic- Breaching of Personal Data is Not a Myth Anymore

Submitted by –
1st author - Zaid Akram Khan
2nd author - Shreya Mehta
B.A LLB
KIIT School of Law, Bhubaneswar
Contact no. 8210434254, 6200046274
Mail id – [email protected]
[email protected]
Topic – Breaching of Personal Data is Not a Myth Anymore.
*By Zaid Akram Khan & Shreya Mehtai
Abstract

The ongoing article discusses about the rise in cybercrime activities occurring in India, which
calls for concern as in the past few years there has been increased use of cell phones, unlimited
internet and computer etc. So this brings us to acknowledge the fact that in this era of
advancement of cyberspace, we need to advance our cyber law as well. This article also
discusses about major cybercrime occurring in this country i.e. data breaching of citizens which
has led to financial losses to many, loss of personal identification details etc. which are used
by the scammers for their mala fide motives in recent times. Overall this article discusses about
data breaching, phishing and the ways in which all these cybercrime activities takes place and
also the way the scammers are using the technology to fool the users, why these cyber-criminal
activities calls for concern and laws regarding Cyber Crime.

Keywords: Cybersecurity, breach, data, cyberspace, cybercrime

Review of Literature

The immense increase in cyber-attacks at India has brought us to raise our concern over data
breaching laws. Data breaches result in enormous problems like leakage of personal
information like bank details, identification details which have been witnessed since 2022.1
Even the annual report by Cisco gives increase of threats in cyber space i.e. phishing,
ransomware, social engineering and Trojans. Moreover, cybersecurity is important for business
continuity and this practice should be taught to users who are availing any sort of services2.
Meta has also identified various malicious application on Android operating system.3

1
Aaron Drapkin, “Data Breaches That Have Happened in 2022 So Far” Tech.co, Dec.01, 2022
https://tech.co/news/data-breaches-2022-so-far

2
Vivek Parate, “Data Protection: An Essential Element of Any Digital Transformation Strategy”
DATAVERSITY, Dec. 06, 2022 https://www.dataversity.net/data-protection-an-essential-element-of-any-
digital-transformation-strategy/

3
The Computer Center, “Metadata and Data Breaches” Mar. 26, 2021https://www.computer-
center.com/metadatadatabreaches/#:~:text=Metadata%20can%20contain%20a%20significant%20amount%20of
%20confidential,research%20study%20on%20the%20causes%20of%20data%20breaches.
The Mckinsey report have also quoted that year 2022 have been the worst year where enormous
data breaches have occurred and had led to the sale of 30 million dollars customer records4.

Introduction

Man has always been driven by the desire to advance and improve current technology, since
the dawn of the civilisation, this has further resulted in significant growth and advancement,
which will serve as a springboard for future advancement. The emergence of the internet
perhaps the most significant of all the key breakthroughs achieved by humans from the
beginning to the present. In this modern era, the world has found a new platform to interact and
transact, for efficient worldly affairs i.e. the cyber space. And this virtual world is as crucial as
one's own personal space in their respective lives. Criminals have found the convenience in
committing crime online, thus this brings us to the point that enactment of proper laws related
to various kinds of cybercrime is a serious concern.

Cybercrime is an activity which is forbidden by law that basically involves the usage of devices
like computers and cell phones as a tool and target both, it is rapidly evolving because of the
exponential growth of use of cell phones, internet and computer. Various kinds of cyber law
issues have been involved at various stages, from registering our domain name, by subscribing
to a particular website, by downloading application on devices, by carrying out various digital
transaction, etc. The major causes of cybercrimes are poorly secured Wi-Fi spots, exploitation
of unauthorised products as well as unlimited internet access etc.

So, in this post pandemic era people have been used to the digital marketing, digital
transactions, digital interaction and what not and to make sure that the individual's daily course
on the virtual platform is not obstructed by closure of offline services. Therefore, the
application of cyber laws is relevant and can prevent unlawful activities in the cyber space,
when these kinds of digital course is carried out.

Currently, India is not having any sort of expressly codified special law dedicated to data
protection or privacy. Although, there are relevant laws in India that deals with data protection
which is the Information Technology Act, 2000 and the Indian Contract Act 1872. But there is
a need of codified law which should wholly dedicated to data protection and prevention, so that

4
Jim Boehm, Anatoly Brevnov, Lucy Shenton, and Daniel Wallance, “The future of data-loss prevention” Jul.
13, 2022https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/tech-forward/the-future-of-data-
loss-prevention
any reported data breach can be prevented and this increased in data breaching would come
under control. For the time being, India’s Ministry of Electronics and IT will be introducing
data breach notification rule. This rule will apply to all the critical parts of India’s network and
IT infrastructure. Under this rule sectors including some data centres as well as cloud service
providers and VPN operators will be instructed to register themselves and keep a track of
information about their customers for at least five years5.

An individual’s personal information should not be available to other individuals or any kinds
of organisation without their consent, in an automated format as this is a matter of privacy and
data protection. Those sort of relevant and personal data should be subjected to be controlled
by a certain limit for each individual i.e. according to their discretion and nothing should be
binding upon. Any information or data which has been protected by various legislations so that
misuse of the information can be prevented as well as violation of these laws by any
organisation or individual would lead to respective punishment and fines. Thus to protect this
sensitive data of any individual on any device, various administrative, technical, as well as
physical measures need to be undertaken. Data protection and Privacy of an individual is
closely linked to each other, so breaching any particular data of an individual would be
violation of the privacy of an Individual. The Information Technology (Amendment) Act, 2008
clearly lays down the principle on privacy and data protection and also defines certain liabilities
like civil and criminal offences resulting from violations of the laws mentioned.

Breaching of Data of an individual calls for concern

Breach of data is a form of breach of privacy which is a violation of the fundamental right
guaranteed to the citizens of India by the law of the land i.e. the Indian Constitution. As right
to privacy was considered a fundamental right under Article 21 in the landmark Judgement of
K.S Puttaswamy v. Union of India6. The personal data of an individual is breached on various
levels, for instance when an individual installs a free application on their devices the app service
provider in exchange of it shares the device’s information i.e. that personal data with other
companies to deliver customised products or advertisements. This doesn’t stop here, further
whenever we agree to accept the terms and conditions of a software, we are actually
unknowingly agreeing to all their clauses of a binding contract which are made according to

5
Stephan Pritchard, “India to introduce six-hour data breach notification rule” The Daily Swig, May. 05, 2022
https://portswigger.net/daily-swig/india-to-introduce-six-hour-data-breach-notification-rule
6
K.S Puttaswamy v. Union of India, (AIR 2017 10 SCC 1)
their benefits, so even if we try to file a particular case against them, they have this legal
contract as a defence with them which have been consented by us unknowingly. There should
be proper legal awareness, which should be brought upon regarding this unknown consensual
contract as well as exchange of data of an individual. Although many developed countries are
enacting legislations in this area but India is lagging behind in this arena in spite of knowing
the fact that our country has immensely witnessed huge usage of mobile and internet
connectivity in the past few years.

There has been a rise of commercial availability of various AI (Artificial Intelligence) enabled
devices which has increased the rate of data breach occurring not only in India but world-wide
and individual’s data is constantly at threat. Data Breach can result in leak of various types of
information about an individual such as financial data, this data can be leaked when we carry
out digital transactions using our debit cards and credit card numbers, bank details, past
invoices and many other data related to someone’s personal finances. With reference to this
loss of financial data, State bank of India in July 2021 released a public statement in which
they called out a list of digitals apps which should not be used by their customers in order to
be saved from the loss of their financial data7, this statement clears the air that loss of financial
data of an individual is not a myth anymore and this brings us to a national concern.

Further, loss of personally identifiable information such as that personal information which
can be used to identify and locate an individual. In the year 2020 cybercrime was at peak to
37%, and moreover there were reports in Madhya Pradesh where people lost 51 crores rupees
in five years which was further embezzled amid lockdown.8 Not to be forgotten in the year
2018, a massive data breach occurred which scrapped the Indian government websites and
breached the data of billions of people of India that included Aadhar information, PAN, bank
account IFSC codes and other personal information regarding an individual's identity which is
not supposed to be disclosed in public9. This data was further sold by the scammers at

7
DNA Web team, “SBI customers alert: Stop using these apps or you will lose financial data” July. 16, 2021
https://www.dnaindia.com/personal-finance/report-sbi-customers-alert-stop-using-these-apps-or-you-will-lose-
financial-data-state-bank-of-india-news-updates-july-15-sbi-alerts-2900684

8
Vivek Trivedi, “Online Fraud of More Than Rs 51 Cr in Last 5 Years in MP, Cyber Cheats Embezzled Rs 38
Cr in Lockdown” News 18, Dec. 31, 2021 https://www.news18.com/news/india/online-fraud-of-more-than-rs-
51-cr-in-last-5-years-in-mp-cyber-cheats-embezzled-rs-38-cr-in-lockdown-4613105.html
9
Yogesh Sapkale, “Aadhaar Data Breach Largest in the World, Says WEF’s Global Risk Report and Avast”
Money life, Feb.19, 2019https://www.moneylife.in/article/aadhaar-data-breach-largest-in-the-world-says-wefs-
global-risk-report-and-avast/56384.html
approximately rupees 500. This has been considered the largest data breach of personal
information even by the World's Economic Forum (WEF's) Global Risks reports 2019.10 All
these incidents reveals the importance of stringent and effective cyber laws which can actually
regulate the ongoing cyber-crime activities in India.

Information which are accumulated in any device whether mobile phones or computer systems
may be extremely sensitive and sharing it is a personal matter of every individual, thus as a
matter of right, privacy is necessary and is a fundamental right of every individual in this
country. Under the Information Technology act of chapter 9 and 11 11, liabilities for the
violation of confidential data is discussed and privacy which arises out of unauthorised access
to various devices. The law of our land i.e. the Indian Constitution recognizes privacy as a right
under article 2112 but at the same time it also considers its growth and development which are
entirely in the hand of the judiciary. No matter how much we try to curb cyber-crime, by using
various repressive methods is not an option in today’s world of Internet, where it’s very
difficult to prevent any sort of information to leaked out in the public domain. Thus keeping
all these things in mind, The Information Technology Act 2008, has addressed data protection.
But I would also like to state that IT Act possess various problems in terms of protecting data
and a lack of proper statute concerned for data protection of an individual is the need of an hour
so that there is a reasonable balance between personal liberty of an individual and privacy of
any person.

There are various cases of Banking frauds which have saw a violent upsurge due to digital
banking system where the users possess online services like saving money, online shopping
and many more activities. These sorts of medium are breached by the cybercriminals through
which they acquire and access the data of the user.

There are various methods through which data breaching can occur, one such thing is phishing.
Phishing attacks are basically a fraudulent imitation of communications which seems like, it
has come from a trustworthy source but it actually comprises of all types of malware data
sources. Phishing attacks are one of the major cybercrime that is occurring in India due to the
increase in use of the mobile phones, computer and free internet, which has further stimulated
these sort of attacks. The users who become victims of phishing are mostly unaware about

10
World Economic Forum, Report: The Global Risks Report 2019 14th Edition , 2019
https://www3.weforum.org/docs/WEF_Global_Risks_Report_2019.pdf
11
Information Technology Act, 2000 (Act 11 of 2000)
12
Constitution of India, Art. 21
these sort of cybercrime and it becomes an easy method for the scammers to steal someone’s
information without hacking the device. And attacks like these can further facilitate access to
an individual’s social media accounts, their personal data including financial data and many
other things. This process of Phishing starts with a fraudulent email, text or any other mode of
communication which has been designed to tempt the victim. Moreover, the message on texts,
email or in any form of communication is appeared in such a way that the victim presumes it
to be received from a trusted sender. And it is the victim that falls prey to those fraudulent
message, the victim ends up giving all sort of confidential, financial as well as identification
information which happens to be a scam and ultimately resulting in their financial loss. India
has been affected by phishing amidst pandemic as scammers ran various phishing campaigns
in which they used to feed the users with fake news of Covid-19 vaccines. Scammers were
immensely trying to take the advantage of anxiousness and fear of the people for their own
mala fide profits. These scammers were trying to portray that they were selling Covid-19
vaccine and to avoid from being tracked by authorities, they were transacting in bitcoin13.

As the famous proverb goes, prevention is better than cure. Therefore, before India faces any
further major cyber-attacks through which the personal data of the citizens of this country is
breached, I would like to suggest that direct investigation into the conduct of cyber-attack prone
areas should be kept in track, so that accordingly the users of those areas would be kept aware
through notification.

Conclusion

The government agencies now need to be more proactive and accountable than before because
it’s high time that the security of the personal information of citizens needs consideration. An
year before, a server was breached where a large number of financial records of people was
mentioned, quite a number of police reports in which victims’ data was mentioned and
extremely sensitised government information was leaked.14 Thus, more delay in accountability
of data breaching incidents as well as delay in providing remedies for these cyber-attacks could
further deepen the risk as many citizen’s data is yet not secured properly. The citizen’s breached

13
Tech desk, “ Fake Covid-19 vaccines, remedies-related scams increase exponentially on Dark net:
Checkpoint report” The Indian Express, Dec.14, 2020 https://indianexpress.com/article/technology/tech-news-
technology/fake-covid-19-vaccine-scams-darknet-checkpoint-report-7104552/
14
John Xavier,” India’s cyber defences breached and reported; govt. yet to fix it” The Hindu, Feb. 20, 2021
https://www.thehindu.com/sci-tech/technology/indias-cyber-defenses-breached-and-reported-govt-yet-to-fix-
it/article33888110.ece
information can be used by scammers on dark web and can also be further used in campaigns
for social engineering attacks which will result in major financial loss.

We are aware of the fact that cyberattacks are on rise and many companies like Juspay, Big
basket, Mobikwik, Airtel and Air India are among the recent ones who have been hunt down
by the scammers where personal data of millions of customers have been stolen 15. Thus, to
avoid further data breach, businesses must ensure implementation of effective cyber security
plans, the companies must utilise their funds in these cyber security policies. Nodal agencies
now are required to upgrade their standards of plans so that the cyber security will be evolved
in such a way that the count of data breaches will be low. And such plans related to cyber
security must essentially include those policies which are related to management and handling
of proprietary information, moreover training of employees dealing with sensitive and
proprietary data etc.

Cyber security plans should be part of every institution, businesses, start-ups, government
agencies and organisations so that vulnerable cyber-attacks could be prevented and any loss of
financial data, personal identification data is prevented. There should also be policies, strategic
plans and ways of tracing the scammers in case any sort of cyber breach occurrs due to any
failure of cyber security plan. Although India is not having special legislation regarding data
breaching activities, all the respective business companies, government institution, agencies
and organisations should possess their own cyber security rules which would be subject to
modification whenever the special legislations would come up. Till then it would be a smart
decision amidst so much data breach occurring all over the country. There should be initiation
of spreading the awareness about cyber security by all the respective public as well as private
organisations so that the customers and users would be updated in sync.

Thus, countering cyber-attacks requires precautionary measures and to learn from the past
incident is never a late step towards preventive action. Moreover, coordination among the
public and private entities would also be an effective measure for regulating cyber security for
users at large. Further we should create an effective robust system in various jurisdictions about
the reporting of cyber-attacks to the specialised government agencies which are wholly
responsible for alerting and taking affirmative action against the perpetrators. Last but not the

15
Shivani Shinde & Neha Alawadhi, “India becomes favourite destination for cyber criminals amid Covid-19”
Business Standard, Apr. 06, 2021 https://www.business-standard.com/article/technology/india-becomes-
favourite-destination-for-cyber-criminals-amid-covid-19-121040501218_1.html
least spreading awareness regarding cyber security at all levels in every jurisdiction should be
the utmost priority in this evolving world of digitalisation so that maximum users of internet,
cell phones etc. are having at least minimum knowledge of importance of cyber security. Since
there has been constant advancement in technology, there should be advancement of cyber
security laws so that technological advancement and legal advancement can go hand in hand
for effective globalisation as well as overall evolution of mankind. The security of any sort of
data of an individual should be the utmost priority of the state, so that the citizens can efficiently
use the cyberspace.

All in all, I would like to conclude by stating that technological and cyberspace evolution is
indeed a boon for the present generation, yet it comes with the bane like cyber-attacks which
must be prevented in order to utilise and experience the new era of technological evolution.

i
Zaid Akram Khan & Shreya Mehta, B. ALLB (Criminal Hons.), KIIT School of Law,
Bhubaneswar