“Personal Data of over 7.5 million customers illicitly leaked on dark web”

May 6, 2024
Data breaches

By Vikrant Rana , Anuradha Gandhi and Isha Sharma

In the current day and age, data drives almost every single aspect of life and in light of this, it is no surprise that data breaches are rising across the world.

Despite the fact that there were about 5.3 million Indian online account breaches in 2023 as opposed to 12.3 million in 2022, India has still climbed to the fifth worst country in terms of account data breaches as per an annual report released by the private virtual network provider. This is primarily because of the relative increase of data breaches in other countries and hackers have been targeting the personal data of customers accumulated by companies with increasing impunity.   Around 10 Indian user accounts were leaked every minute in 2023, with four in every 1000 accounts being breached, said the report.[1]

Inarguably, the year 2023 unfolded with significant breaches in data security across India. As we navigate through 2024, merely three months into the year, there have been multiple instance of data breaches in India.

In January of 2024, cybersecurity firm CloudSEK revealed that the personal data of over 750 million Indians, occupying over 1.8 terabytes, was being sold on the dark web by threat actors from CyboDevil and UNIT8200 for 3000 USD[2].

Three months later, in April of 2024, another instance of personal data breach of an enormous scale has come to light. This time, an Indian-based homegrown audio brand finds itself at the epicenter of this breach. Reports from Forbes India reveal a staggering revelation: personal data belonging to over 7.5 million customers has been illicitly leaked onto the dark web[3].

The breach, purportedly carried out by a hacker known as ShopifyGUY, had resulted in the exposure of highly sensitive personal information, including names, email addresses, phone numbers and customer IDs of the affected individuals.

This breach has left over 2 gigabytes of personally identifiable information (PII) of the users of this audio brand and this is being seen as a serious security lapse by the authorities concerned.

In response to these, the Company had recently issued a statement acknowledging its awareness of the recent claims regarding a potential data leak involving customer information.

“We take these claims seriously and have immediately launched a comprehensive investigation.”[4]

A spoke-person for the Company reassured stakeholders that a thorough investigation has been launched, emphasizing the company’s unwavering commitment to prioritizing the safeguarding of customer data.

Legal Analysis:

However, as the ramifications of such breaches reverberate across industries and consumer trust hangs in the balance, it becomes imperative to delve deeper into the legal implications that accompany such incidents.

Data breaches of this magnitude not only pose a severe threat to individual privacy but also raise pertinent questions regarding corporate accountability and compliance with data protection regulations. The fall-out from such breaches can extend beyond financial losses, encompassing reputation loss to the brand value and customer trust, along with regulatory penalties.

Under the Information Technology Act:

Section 43 of the Information Technology Act outlines several offenses related to unauthorized access, downloading, extraction and damage to computer systems and data. This means that if an organisation fails to implement adequate security measures, or conduct due diligence in safeguarding sensitive data, it can be deemed culpable in the event of a data breach.

Additionally, it imposes a liability upon such body corporate to pay damages by way of compensation to the person so affected by such breach as specified.[5]

Under the Digital Personal Data Protection Act, 2023:

Section 8 of the DPDP Act specifically deals with the “General Obligations of Data Fiduciary”.

[For your information, Data Fiduciary means any person who alone or in conjunction with other person determines the purpose and means of processing of personal data.[6]]

In accordance with the provision of Section 8(5) of the DPDP Act, a Data Fiduciary is entrusted with a responsibility to protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach.

That is to say, Section 8 typically outlines the accountability principle, which holds companies responsible for ensuring the protection and proper handling of personal data belonging to their customers or users. This principle emphasizes that data fiduciaries or companies who collect data of their customers, must take appropriate measures to safeguard personal data and be accountable for any breaches that occur.

Further, breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under Section 8(5) may result in penalties which may extend to two hundred and fifty crore rupees. [7]

In addition, while Section 8(5) of the DPDP Act emphasized the importance of accountability, another crucial principle that warrants equal attention is data minimization.

Under the data minimization principle, data fiduciaries or companies are mandated to collect personal data only for specified purposes, for which explicit and free consent has been obtained from individuals. Furthermore, the companies are required to retain this data only for the duration necessary to fulfill the stated purpose. This principle serves to limit the risk associated with data breaches and unauthorized access.

Companies generally tend to collect excessive personal data beyond what is necessary for their operations, or retaining data for longer period than required, which may lead them to face accountability measures under the DPDP Act.

[1] https://scroll.in/latest/1064309/over-5-million-indian-online-accounts-breached-in-2023-report#:~:text=A%20total%20of%205.3%20million,private%20virtual%20network%20provider%20Surfshark.

[2] https://www.indiatoday.in/technology/news/story/data-of-750-million-telecom-users-in-india-being-sold-on-dark-web-cyber-experts-claim-2495752-2024-01-31

[3] https://www.business-standard.com/companies/news/data-of-7-5-mn-boat-customers-leaked-on-dark-web-forbes-india-report-124040800627_1.html

[4] https://www.moneycontrol.com/news/technology/personal-data-of-7-5-million-boat-customers-allegedly-leaked-on-dark-web-12598961.html

[5] https://ssrana.in/articles/corporate-data-theft-a-major-concern/

[6] Refer to Section 2(i) of the Digital Personal Data Protection Act, 2023

[7] Refer to The Schedule of the Digital Personal Data Protection Act, 2023

Related Posts

Guidelines for Prevention and Regulations of Dark Patterns

For more information please contact us at : info@ssrana.com