data breach case study in india

Artificial Intelligence
Generative AI
Business Operations
IT Leadership
Application Security
Business Continuity
Cloud Security
Critical Infrastructure
Identity and Access Management
Network Security
Physical Security
Risk Management
Security Infrastructure
Vulnerabilities
Software Development
Enterprise Buyer’s Guides
United States
United Kingdom
Newsletters
Foundry Careers
Terms of Service
Privacy Policy
Cookie Policy
Member Preferences
About AdChoices
E-commerce Links
Your California Privacy Rights

Our Network

Computerworld
Network World

The biggest data breaches in India

Cso online tracks recent major data breaches in india..

Networking cables viewed through a magnifying lens reveal a data breach.

Over 313,000 cybersecurity incidents were reported in 2019 alone, according to the Indian Computer Emergency Response Team (CERT-In), the government agency responsible for tracking and responding to cybersecurity threats.

Here, we take a look at some of the biggest recent cybersecurity attacks and data breaches in India.

Air India data breach highlights third-party risk

Date: May 2021

Impact: personal data of 4.5 million passengers worldwide

Details: A cyberattack on systems at airline data service provider SITA resulted in the leaking of personal data of of passengers of Air India. The leaked data was collected between August 2011 and February 2021, when SITA informed the airline. Passengers didn’t hear about it until March, and had to wait until May to learn full details of what had happened. The cyber-attack on SITA’s passenger service system also affected Singapore Airlines, Lufthansa, Malaysia Airlines and Cathay Pacific.

CAT burglar strikes again: 190,000 applicants’ details leaked to dark web

Date: May 2021

Impact: 190,000 CAT applicants’ personal details

Details: The personally identifiable information (PII) and test results of 190,000 candidates for the 2020 Common Admission Test, used to select applicants to the Indian Institutes of Management (IIMs), were leaked and put up for sale on a cybercrime forum. Names, dates of birth, email IDs, mobile numbers, address information, candidates’ 10th and 12th grade results, details of their bachelor’s degrees, and their CAT percentile scores were all revealed in the leaked database.

The data came from the CAT examination conducted on 29 November 2020 but according to security intelligence firm CloudSEK, the same thread actor also leaked the 2019 CAT examination database.

Hacker delivers 180 million Domino’s India pizza orders to dark web

Date: April 2021

Impact: 1 million credit card records and 180 million pizza preferences

Details: 180 million Domino’s India pizza orders are up for sale on the dark web, according to Alon Gal, CTO of cyber intelligence firm Hudson Rock.

Gal found someone asking for 10 bitcoin (roughly $535,000 or ₹4 crore) for 13TB of data that they said included 1 million credit card records and details of 180 million Dominos India pizza orders, topped with customers’ names, phone numbers, and email addresses. Gal shared a screenshot showing that the hacker also claimed to have details of the Domino’s India’s 250 employees, including their Outlook mail archives dating back to 2015.

Jubilant FoodWorks, the parent company of Domino’s India, told IANS that it had experienced an information security incident, but denied that its customers’ financial information was compromised, as it does not store credit card details. The company website shows that it uses a third-party payment gateway, PayTM.

Trading platform Upstox resets passwords after breach report

Impact: All Upstox customers had their passwords reset

Details: Indian trading platform Upstox has openly acknowledged a breach of know-your-customer (KYC) data. Gathered by financial services companies to confirm the identity of their customers and prevent fraud or money laundering, KYC data can also be used by hackers to commit identity theft.

On April 11, Upstox told customers it would reset their passwords and take other precautions after it received emails warning that contact data and KYC details held in a third-party data warehouse may have been compromised.

Upstox apologised to customers for the inconvenience, and sought to reassure them it had reported the incident to the relevant authorities, enhanced security and boosted its bug bounty program to encourage ethical hackers to stress-test its systems.

Police exam database with information on 500,000 candidates goes up for sale

Date: February 2021

Impact: 500,000 Indian police personnel

Details: Personally identifiable information of 500,000 Indian police personnel was put up for sale on a database sharing forum. Threat intelligence firm CloudSEK traced the data back to a police exam conducted on 22 December, 2019.

The seller shared a sample of the data dump with the information of 10,000 exam candidates with CloudSEK. The information shared by the company shows that the leaked information contained full names, mobile numbers, email IDs, dates of birth, FIR records and criminal history of the exam candidates.

Further analysis revealed that a majority of the leaked data belonged to candidates from Bihar. The threat-intel firm was also able to confirm the authenticity of the breach by matching mobile numbers with candidates’ names.

This is the second instance of army or police workforce data being leaked online this year. In February, hackers isolated the information of army personnel in Jammu and Kashmir and posted that database on a public website.

COVID-19 test results of Indian patients leaked online

Date: January 2021

Impact: At least 1500 Indian citizens (real-time number estimated to be higher)

Details: COVID-19 lab test results of thousands of Indian patients have been leaked online by government websites.

What’s particularly worrisome is that the leaked data hasn’t been put up for sale in dark web forums, but is publicly accessible owing to Google indexing COVID-19 lab test reports.

First reported by BleepingComputer, the leaked PDF reports that showed up on Google were hosted on government agencies’ websites that typically use *.gov.in and *.nic.in domains. The agencies in question were found to be located in New Delhi.

The leaked information included patients’ full names, dates of birth, testing dates and centers in which the tests were held. Furthermore, the URL structures indicated that the reports were hosted on the same CMS system that government entities typically use for posting publicly accessible documents.

Niamh Muldoon, senior director of trust and security at OneLogin said: “What we are seeing here is a failure to educate and enable employees to make informed decisions on how to design, build, test and access software and platforms that process and store sensitive information such as patient records.”

He added that the government ought to take quick measures to reduce the risk of a similar breach from reoccurring and invest in a comprehensive information security program in partnership with trusted security platform providers.

User data from Juspay for sale on dark web

Impact: 35 million user accounts

Details: Details of close to 35 million customer accounts, including masked card data and card fingerprints, were taken from a server using an unrecycled access key, Juspay revealed in early January. The theft took place last August, it said.

The user data is up for sale on the dark web for around $5000, according to independent cybersecurity researcher Rajshekhar Rajaharia.

BigBasket user data for sale online

Date: October 2020

Impact: 20 million user accounts

Details: User data from online grocery platform BigBasket is for sale in an online cybercrime market, according to Atlanta-based cyber intelligence firm Cyble.

Part of a database containing the personal information of close to 20 million users was available with a price tag of 3 million rupees ($40,000), Cyble said on November 7.

The data comprised names, email IDs, password hashes, PINs, mobile numbers, addresses, dates of birth, locations, and IP addresses. Cyble said it found the data on October 30, and after comparing it with BigBasket users’ information to validate it, reported the apparent breach to BigBasket on November 1.

Unacademy learns lesson about security

Date: May 2020

Impact: 22 million user accounts

Details: Edutech startup Unacademy disclosed a data breach that compromised the accounts of 22 million users. Cybersecurity firm Cyble revealed that usernames, emails addresses and passwords were put up for sale on the dark web.

Founded in 2015, Unacademy is backed by investors including Facebook, Sequoia India and Blume Ventures.

Hackers steal healthcare records of 6.8 million Indian citizens

Date: August 2019

Impact: 68 lakh patient and doctor records

Details: Enterprise security firm FireEye revealed that hackers have stolen information about 68 lakh patients and doctors from a health care website based in India. FireEye said the hack was perpetrated by a Chinese hacker group called Fallensky519.

Furthermore, it was revealed that healthcare records were being sold on the dark web – several being available for under USD 2000.

Local search provider JustDial exposes data of 10 crore users

Date: April 2019

Impact: personal data of 10 crore users released

Details: Local search service JustDial faced a data breach on Wednesday, with data of more than 100 million users made publicly available, including their names, email ids, mobile numbers, gender, date of birth and addresses, an independent security researcher said in a Facebook post.

SBI data breach leaks account details of millions of customers

Date: January 2019

Impact: three million text messages sent to customers divulged

Details: An anonymous security researcher revealed that the country’s largest bank, State Bank of India, left a server unprotected by failing to secure it with a password.

The vulnerability was revealed to originate from ‘SBI Quick’ – a free service that provided customers with their account balance and recent transactions over SMS. Close to three million text messages were sent out to customers.

More from this author

Air india data breach highlights concerns around third-party risk and supply-chain security, gomeet pant joins abb as vice president and global head of infosec services, personal information and exam results of 1.9 lakh cat aspirants leaked on dark web, payment companies should open up about breach allegations, says npci ciso, upstox shows mobikwik how to manage a data breach incident, redecho taps into india’s power grid, getting the right certifications: advice from indian csos, airtel denies hackers’ claim of data breach involving 2.5 million customers’ records, show me more, women in cyber day finds those it celebrates ‘leaving in droves’.

LLMs fueling a “genAI criminal revolution” according to Netcraft report

Ransomware feared in the cyberattack on US oil services giant

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

₹ 10 Lakh,1" data-value="Loan ₹ 10 Lakh">Loan ₹ 10 Lakh
Games & Puzzles

Entertainment
Latest News
Web Stories
Mumbai News
Bengaluru News
Daily Digest

Aadhaar details of 81.5 cr people leaked in India's ‘biggest’ data breach

The hacker claims to have extracted the information from the covid-19 test details of the citizens registered with icmr..

In what is being described as possibly the ‘biggest' case of data leak in the country, personal details of more than 81.5 crore Indians, sourced allegedly from the Indian Council of Medial Research (ICMR), have been leaked online, as per a report in News18.

Hacker using laptop. Hacking the Internet. (Getty Images/ Representational photo)

What happened?

The report noted that the leak was initially noticed by Resecurity, an American cyber security and intelligence agency. According to the cyber firm, a ‘threat actor’ with the alias ‘pwn001’ posted a thread on Breach Forums ,– which describes itself as a ‘premier Databreach discussion and leaks forum’ – enabling access to records of 815 million (81.5 crore) Indians.

For a perspective, this is around 10 times the total population of countries like Iran, Turkey and Germany, the world's 17th, 18th, and 19th most populous nations, respectively. India, on the other hand, is the world's most populous country, with 1.43 billion people.

What information has been leaked?

'pwn001,' with a handle on X (formerly Twitter), advertised Aadhaar and passport information along with names, phone number, and addresses; these, the hacker claims, were extracted from the Covid-19 test details of citizens registered with ICMR.

As a proof, ‘pwn001’ posted spreadsheets with four large leak samples with fragments of Aadhaar data. Upon analysis, these were identified as valid Aadhaar card IDs.

Remedial measures

While there is no official response from ICMR or government, the report states that the Central Bureau of Investigation (CBI) is likely to probe the matter once it receives a complaint from ICMR.

In addition to this, all the top officials from various agencies, as well as ministries, have been roped in. Also, to control the damage, the required Standard Operating Procedure (SOP) has been deployed.

Data Breach
Terms of use
Privacy policy
Weather Today
HT Newsletters
Subscription
Print Ad Rates
Code of Ethics

India vs Sri Lanka
Live Cricket Score
Cricket Teams
Cricket Players
ICC Rankings
Cricket Schedule
Shreyas Iyer
Harshit Rana
Kusal Mendis
Ravi Bishnoi
Rinku Singh
Riyan Parag
Washington Sundar
Avishka Fernando
Charith Asalanka
Dasun Shanaka
Khaleel Ahmed
Pathum Nissanka
Other Cities
Income Tax Calculator
Petrol Prices
Reliance AGM 2024 Live
Diesel Prices
Silver Rate
Relationships
Art and Culture
Taylor Swift: A Primer
Telugu Cinema
Tamil Cinema
Board Exams
Exam Results
Admission News
Employment News
Competitive Exams
BBA Colleges
Engineering Colleges
Medical Colleges
BCA Colleges
Medical Exams
Engineering Exams
Love Horoscope
Annual Horoscope
Festival Calendar
Compatibility Calculator
Career Horoscope
Manifestation
The Economist Articles
Lok Sabha States
Lok Sabha Parties
Lok Sabha Candidates
Explainer Video
On The Record
Vikram Chandra Daily Wrap
Entertainment Photos
Lifestyle Photos
News Photos
Olympics 2024
Olympics Medal Tally
Other Sports
EPL 2023-24
ISL 2023-24
Asian Games 2023
Public Health
Economic Policy
International Affairs
Climate Change
Gender Equality
future tech
HT Friday Finance
Explore Hindustan Times
Privacy Policy
Terms of Use
Subscription - Terms of Use

Let me explain
Yen Endra Kelvi
SUBSCRIBER ONLY
Whats Your Ism?
Pakka Politics
NEWSLETTERS

ICMR data breach exposes details of 81.5 crore Indians: What you need to know

Personal information of 815 million (81.5 crore) Indian citizens has been compromised, when their Aadhar and passport details, names, phone numbers, and addresses were put up for sale on the dark web. Here's a rundown of the key details surrounding this alarming breach:

> The compromised data is believed to have leaked from the database of the Indian Council of Medical Research (ICMR), raising serious concerns about the security of sensitive medical records. According to reports, the hacker claimed that the data was extracted from the COVID-19 test details of citizens, which were sourced from the ICMR.

> On October 9, the hacker, using the alias 'pwn001' posted a jaw-dropping offer on a notorious dark web forum, listing the entire dataset for sale at $80,000 (approximately Rs 67 lakh).

> Cybersecurity firm Resecurity engaged with the hacker 'pwn001' who shared spreadsheets containing Aadhar data for verification. Resecurity's team confirmed the authenticity of the IDs, highlighting the severity of the breach.

> Since February 2023, there have been more than 6,000 reported cyberattacks on the ICMR. While the medical research organisation was made aware of these attempts, it appears that 'pwn0001' successfully breached the ICMR's defenses.

> This isn't the first instance of a major data breach affecting Indians. In August, Resecurity had reported another breach that involved a colossal 1.8 terabytes of data being sold online with the title 'Indian internal law enforcement organisation'. Disturbingly, this breach also included personally identifiable information sourced from Aadhar IDs, Voter IDs, and driving license records. Some of these records were traced back to a company specialising in pre-paid SIM cards.

> Resecurity’s findings coincide with a global threat landscape that has seen India emerge as a top-five geography for cyberattacks, according to a recent vendor survey. This survey found that India ranked fourth globally in online banking malware detection and top-five globally in all malware detections in the first half of 2023.

> Another breach in June had exposed the Aadhaar and/or passport numbers of vaccinated individuals when a Telegram bot enabled individuals to retrieve information from the COWIN vaccination portal's database. Two people including a minor were arrested for the breach.

> The legal framework for such data breaches is still pending, as the Digital Personal Data Protection Act of 2023, despite receiving approval from the Parliament and the President's assent in August, has not yet been officially enforced.

Read: Rahul Gandhi's office staff get Apple warning about state surveillance on phone

ICMR Data Leak Exposes 81.5M Indians’ Personal Information

Published on October 30, 2023
by Tasmia Ansari

In what could potentially be the largest data breach in India’s history, sensitive details of 81.5 million Indians have surfaced on the dark web as per reports . One of the most concerning aspects of this breach is that the epicenter of the leakage has not been pinpointed. The ICMR has been under cyber-attacks since February, with over 6,000 attempted breaches recorded last year.

This alarming development has prompted India’s investigative agency, the Central Bureau of Investigation (CBI), to prepare for a thorough probe into the incident, pending an official complaint from the Indian Council of Medical Research (ICMR).

The breach was brought to public attention when a ‘threat actor’ using the pseudonym ‘pwn0001’ advertised the stolen database on a breached forum in the dark web. The compromised information includes Aadhaar and passport details, along with names, phone numbers, and addresses. According to the ‘threat actor,’ this extensive dataset was obtained from the Covid-19 testing records collected by ICMR.

Central agencies and the council were aware of the continuous threats and had urged the ICMR to strengthen its cybersecurity measures to prevent any data leaks.

The seriousness of this incident prompted the involvement of the Computer Emergency Response Team of India (CERT-In), which notified the ICMR about the breach. The verification of sample data for sale matched with the actual data from ICMR, triggering an immediate response from relevant government agencies.

As the breach is suspected to involve foreign actors, the case has gained significant attention at the highest levels of government. Multiple agencies and ministries have been mobilized to address the crisis and investigate the breach thoroughly. Remedial measures are already in place, and Standard Operating Procedures have been deployed to mitigate further damage.

The Covid-19 test data in question is dispersed among several government entities, including the National Informatics Centre (NIC), ICMR, and the Ministry of Health, making it difficult to trace the source of the breach.

The American cyber security and intelligence agency Resecurity was the first to identify the data leak. ‘pwn0001’ posted information about the breach on Breach Forums on October 9, offering access to 815 million “Indian Citizen Aadhaar & Passport” records. To provide perspective, this volume of compromised data exceeds the entire population of India, which stands at just over 1.486 billion people.

Analysts found that one of the leaked samples contained 100,000 records of personally identifiable information related to Indian residents. Some of these records were cross-verified through a government portal’s “Verify Aadhaar” feature, confirming the authenticity of Aadhaar credentials.

📣 Want to advertise in AIM? Book here

Tasmia Ansari

Reliance Jio’s massive user base is one of the most valuable assets in its AI journey.

Top Editorial Picks

Finacus Solutions and pi-labs Develops World’s First eKYC Solution Resistant to Deepfake Frauds Tanisha Bhattacharjee

Andrew Ng and Yann LeCun Joins Korean National AI Committee As Advisors Tanisha Bhattacharjee

Reliance Jio Announces Free Cloud Storage with Jio AI-Cloud Tanisha Bhattacharjee

Apple, NVIDIA in talks to Raise Funding for OpenAI Aditi Suresh

Infosys, NVIDIA Introduce Generative AI Powered Telco Solutions Vidyashree Srinivas

Subscribe to The Belamy: Our Weekly Newsletter

Biggest ai stories, delivered to your inbox every week., "> "> flagship events.

Discover how Cypher 2024 expands to the USA, bridging AI innovation gaps and tackling the challenges of enterprise AI adoption

We use cookies to ensure best experience for you

We use cookies and other tracking technologies to improve your browsing experience on our site, show personalize content and targeted ads, analyze site traffic, and understand where our audience is coming from. You can also read our privacy policy , We use cookies to ensure the best experience for you on our website.

Leaders Speak
Brand Solutions
Newsletters
Data breaches
Data of 81.5 crore Indians dumped on dark web

Muqbil Ahmar ,
Updated On Oct 31, 2023 at 04:35 PM IST

By Muqbil Ahmar ,
Published On Oct 31, 2023 at 11:33 AM IST

All Comments

By commenting, you agree to the Prohibited Content Policy

Find this Comment Offensive?

Foul Language
Inciting hatred against a certain community
Out of Context / Spam

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis., download etciso app.

Get Realtime updates
Save your favourite articles

ritesh bhatia
ciso advisory
Data Breaches

Announcements

Ibm report: average cost of a data breach in india touched inr 179 million in 2023.

INDIA, Bengaluru , July 25, 2023 -- IBM (NYSE: IBM ) Security today released its annual Cost of a Data Breach Report , 1 showing the average cost of a data breach in India reached INR 179 million in 2023 – an all-time high for the report and almost a 28% increase since 2020. Detection and escalation costs jumped 45% over this same time frame, representing the highest portion of breach costs, and indicating a shift towards more complex breach investigations.

At nearly 22%, the most common attack type in India was phishing, followed by stolen or compromised credentials (16%). Social engineering was the costliest root cause of breaches at INR 191 million, followed by malicious insider threats, which amounted to approximately INR 188 million.

According to the 2023 IBM report, globally businesses are divided in how they plan to handle the increasing cost and frequency of data breaches. The report found that while 95% of organizations studied globally have experienced more than one breach, these breached organizations were more likely to pass incident costs onto consumers (57%) than to increase security investments (51%).

“With cyberattacks growing in pace and cost in India, businesses must invest in modern security strategies and solutions to stay resilient. The report shows that security AI and automation had the biggest impact on keeping breach costs down and cutting time off the investigation - and yet a majority of organizations in India still haven’t deployed these technologies. It’s clear that there is still considerable opportunity for businesses to boost detection and response speeds and help stop the ongoing trend of growing breach costs,” said Viswanath Ramaswamy, Vice President, Technology, IBM India & South Asia.

Breaching data across environments In India, 28% of data breaches studied resulted in the loss of data spanning multiple types of environments (i.e., public cloud, private cloud, on-prem) – indicating that attackers were able to compromise multiple environments while avoiding detection. When breached data was stored across multiple environments, it also had the highest associated breach costs (INR 188 million) and took the longest to identify and contain (327 days).

Need for AI and automation to pick up speed in India AI and automation had the biggest impact on the speed of breach identification and containment for studied organizations. In India, companies with extensive use of AI and automation experienced a data breach lifecycle that was 153 days shorter compared to studied organizations that have not deployed these technologies (225 days versus 378 days). In fact, studied organizations that deployed security AI and automation extensively saw nearly INR 95 million lower data breach costs than organizations that didn’t deploy these technologies – the biggest cost saver identified in the report. In this context, it is important to note that 80% of studied organizations in India have limited (37%) or no use (43%) of AI and automation.

Additional Sources

To download a copy of the 2023 Cost of a Data Breach Report, please visit: https://www.ibm.com/security/data-breach .
Read more about the report's top findings in this IBM Security Intelligence blog .
Sign up for the 2023 IBM Security Cost of a Data Breach webinar on Tuesday, August 1, 2023, at 11:00 a.m. ET here .
Connect with the IBM Security X-Force team for a personalized review of the findings: https://ibm.biz/book-a-consult .
For a closer look at the report recommendations visit: Cost of a Data breach Action Guide .

About IBM Security IBM Security helps secure the world's largest enterprises and governments with an integrated portfolio of security products and services, infused with dynamic AI and automation capabilities. The portfolio, supported by world-renowned IBM Security X-Force® research, enables organizations to predict threats, protect data as it moves, and respond with speed and precision without holding back business innovation. IBM is trusted by thousands of organizations as their partner to assess, strategize, implement, and manage security transformations. IBM operates one of the world's broadest security research, development, and delivery organizations, monitors 150 billion+ security events per day in more than 130 countries, and has been granted more than 10,000 security patents worldwide.

1 The 2023 Cost of a Data Breach Report, conducted by Ponemon Institute, is sponsored and analyzed by IBM Security.

Media contact:

Lakshmi Visakha K B [email protected]

Release Categories

Business Growth
Data Driven
Quantum & Innovation
Social Impact
Sustainability

Additional Assets

More From Forbes

Air india data breach: hackers access personal details of 4.5 million customers.

Share to Facebook
Share to Twitter
Share to Linkedin

An Air India passenger flight prepares for landing to the Biju Patnaik International Airport in the ... [+] eastern Indian state odisha's capital city Bhubaneswar (Photo by STR/NurPhoto via Getty Images)

Air India has admitted to a massive data breach that compromised the personal data of about 4.5 million passengers.

The breach, confirmation of which comes two months after SITA's Passenger Service System (PSS) was hacked, affected customers who registered between August 2011 and late February 2021, Air India said in a statement . Compromised data includes customers’ name, data of birth, contact information, passport information, frequent flyer data and credit card data, although CVV/CVC numbers weren't included.

Password weren’t accessed by the hackers, Air India added, although it’s urging all customers to change their passwords as a precaution.

The airline said it first learned of the incident on February 25, but only learned the identities of affected passengers on March 25 and May 4.

"This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers," Air India said in a breach notification sent over the weekend.

The airline said it has taken steps to ensure data safety, including “investigating the data security incident; securing the compromised servers; engaging external specialists of data security incidents; notifying and liasing with the credit card issuers, and resetting passwords of Air India FFP program.”

Trump Vs. Harris 2024 Polls: Harris Leads By More Than 5 Points In Latest Survey

Secret service puts $2.5 million bounty on most wanted hacker’s head, apple iphone 16 and iphone 16 plus: everything we know so far.

However, Air India customers are unlikely the only victims of the SITA hack. The company told Bleeping Computer in a statement that customers from several airlines were affected, including travelers who flew with Air New Zealand, Cathay Pacific, Finnair, Jeju Air, Lufthansa, Malaysia Airlines, SAS and Singapore Airlines.

“By global and industry standards, we identified this cyber-attack extremely quickly. The matter remains under active investigation by SITA,” the company said.

“Each affected airline has been provided with the details of the exact type of data that has been compromised, including details of the number of data records within each of the relevant data categories, including some personal data of airline passengers.”

Editorial Standards
Reprints & Permissions

Entertainment
Life & Style

To enjoy additional benefits

CONNECT WITH US

Explained | What does the alleged CoWIN data leak reveal? Premium

What are the possible reasons for a breach are legacy systems the weak links in the chain is this the first time this has happened does india have a data protection bill what has been the response of the indian computer emergency response team.

June 18, 2023 04:50 am | Updated 01:23 pm IST

CoWIN is a government-owned web portal set up in 2021 to administer and manage India’s COVID-19 vaccine rollout. File | Photo Credit: The Hindu

The story so far: On June 12, reports emerged that a bot on the messaging platform Telegram was allegedly returning personal data of Indian citizens who registered with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes. The bot spewed out personal details like name, Aadhaar and passport numbers upon entry of phone numbers. On the same day, the Health Ministry denied reports of a data breach, and said the allegations were “mischievous in nature.” It added that the Indian Computer Emergency Response Team (CERT-In) was reviewing existing security infrastructure of the portal. Separately, the Minister of State for Electronics and IT Rajeev Chandrasekhar said the nodal cyber security agency had reviewed the alleged breach and found that the CoWIN platform was not “directly breached.”

What does the CoWIN portal track?

CoWIN is a government-owned web portal set up in 2021 to administer and manage India’s COVID-19 vaccine rollout. The health register-style platform leverages existing public digital infrastructure like the Electronic Vaccine Intelligence Network (eVIN), an app that provides data on vaccine cold chains in the country; Digital Infrastructure for Verifiable Open Credentialing (DIVOC), a vaccine certificate issuer; and Surveillance and Action for Events Following Vaccination (SAFE-VAC), a vaccine adverse event tracker.

The platform, on a real-time basis, tracks vaccines and beneficiaries at the national, State, and district levels. It monitors vaccine utilisation and wastage, and maintains an inventory of the vials. For citizens, CoWIN verifies identity, helps schedule vaccine appointments, and issues a vaccine certificate. The database captures information flowing from four separate input streams — citizen registration; health centres; vaccine inventory; and vaccine certificates. Each stream functions independently, and at the same time exchanges data to minimise redundancies. The platform is a microservices-based, cloud-native architecture developed from the ground up on Amazon Web Services (AWS). A microservice architecture is a pattern that arranges an application as a collection of loosely linked, fine-grained services. These services interact with each other through certain set protocols.

What is the background to the data breach?

This is not the first time reports about data leaks have emerged. In January 2022, the personal data of thousands of people in India were reportedly leaked from a government server. The information included COVID-19 test results, phone numbers, names and addresses of citizens. The data could be accessed via online search. In December, in a separate security breach, an Iranian hacker claimed to be in possession of data from the CoWIN database.

Both the reports of the data leak were rubbished by the Ministry of Electronics and Information Technology (MeitY). There is no record of any investigation being carried out by CERT-In in connection with these data leaks. Even the vulnerability notes which the nodal cybersecurity agency shared on a regular basis made no reference to these breaches.

On the recent data leak, though the IT Minister said that CERT-In has completed review and found no breach in the CoWIN system, the cybersecurity agency has not directly put out any update that it is either investigating or has filed a review on the breach. However, a report in The Indian Express said the agency is in discussion with at least 11 State governments that had developed their own databases.

How did the Telegram bot get access to CoWIN-related data?

There are few ways to look into this data breach to know where things could have gone wrong. Cloud providers like AWS, Microsoft’s Azure and Google Cloud typically provide security only for the underlying infrastructure, and not for securing the applications and databases. Customers hosting their data are responsible for what they build in a cloud environment. The absence of AWS in CERT-In’s vulnerability notes last year could mean there was no security lapse at the cloud infrastructure’s end.

Also read | Free Software Movement of India demands investigation into CoWIN data breach

While the cloud offers superior security compared to traditional data centres, legacy systems deployed in virtual servers are the weak links in the chain. Such links are a perfect route for hackers to gain entry into a database. This shifts the focus to CoWIN, which was built leveraging legacy software tools. So, an entry point for those behind the bot may have been an old system that was connected to the portal.

In past data breaches, cybersecurity experts have attributed data leaks to human error or negligence in setting up databases in the cloud. Misconfiguring a system, or involvement of third-party apps with limited privacy features, could have also exposed user data to unauthorised people.

What is the larger picture?

Whatever the outcome of the CERT-In probe, the fact remains that sensitive personal data of millions of Indian citizens who signed up for the COVID-19 vaccination is in the hands of cybercriminals. It is unclear how they plan to use this information. But such leaks reveal India’s unfinished data protection business. A data protection law could be a useful tool in fixing accountability and building safeguards around the use and processing of personal data.

Also read | CoWIN data leak from a non-governmental database operated by threat actor, says Union Minister

In 2017, the Supreme Court of India recognised privacy as a fundamental right, highlighting the need to protect personal information. But the country is still struggling to frame a personal data protection policy.

Top News Today

Access 10 free stories every month
Save stories to read later
Access to comment on every story
Sign-up/manage your newsletter subscriptions with a single click
Get notified by email for early access to discounts & offers on our products

Terms & conditions | Institutional Subscriber

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.

India Today
Business Today
Harper's Bazaar
Brides Today
Cosmopolitan
India Today Hindi
Reader’s Digest
Aaj Tak Campus

Download App

What we know and don't know about the alleged Aadhaar data leak

In a controversial revelation, an alleged breach exposed over 815 million records of indian citizen data. however, verification of these claims remains elusive..

Listen to Story

According to the seller, the leaked data included sensitive information such as names, fathers' names, phone numbers, passport numbers, Aadhaar numbers, ages, genders, addresses, districts, pincodes, states, and towns.

Resecurity, a cybersecurity firm, analyzed the sample dataset of 1 lakh entries shared by the seller. Their analysis revealed the presence of valid Aadhaar Card IDs, which were subsequently cross-checked via a government portal with a "Verify Aadhaar" feature. The entire data breach was listed for sale at a substantial price of $80,000.

PII Belonging To Indian Citizens, Including Their Aadhaar IDs, Offered For Sale On The Dark Web

[ALERT] Aadhar data is safe. Data leak of 81.5 Crore Indians Aadhar card seems fake. It seems the leaked data belongs to the mobile operators and the source might be some third party. Might be there are a few lakh people's data was compromised and there is no evidence that 81.5â€æ pic.twitter.com/5GYoKN6zGb — Rajshekhar Rajaharia (@rajaharia) October 31, 2023

Send Us A Tip
Calling all Tech Writers

Durex India protection fails, customer data left exposed

Credits: HT Tech

A big data breach has affected Durex India, the regional division of the well-known British condom and personal lubricant business. Sensitive consumer data was exposed, which presents major privacy and security concerns. The breach, which exposed personal data including users’ complete names, phone numbers, email addresses, shipping addresses, and order details, was initially discovered and reported by security researcher Sourajeet Majumder. We will discuss the ramifications of this data breach, possible customer fallout, and the overall effect on Durex India’s operations and reputation in this piece.

Sawhney automobiles, 8 employees & ₹4,000 crore: ipo that shocked india, trump accuses zuckerberg of conspiracy, threatens legal consequences for meta, why samsung’s galaxy z fold 6 sales are struggling.

Durex India’s unprotected data leak: Customers’ personal data, orders exposed in privacy mishap

Credits: The Financial Express

Scope and Severity of the Data Breach

Security researcher Sourajeet Majumder found the Durex India data breach and notified TechCrunch of it. Majumder claims that insufficient security on the brand’s order confirmation page was the cause of the incident. Sensitive customer information was exposed by this bug, though it’s not yet known how many people were directly impacted.

Highly sensitive data, including complete names, phone numbers, email addresses, shipping addresses, and order details of clients, are among the compromised data. There is a serious privacy risk associated with this compromise because of how personal Durex’s products are. Such personal information being made public can have a lot of negative effects, such as financial fraud, identity theft, and possible harassment.

Potential Impact on Customers

There are significant and worrisome ramifications for consumers from this data compromise. In a culturally conservative country like India, the sensitive nature of the stolen data—especially information about individual preferences and purchases—could expose consumers to social humiliation, embarrassment, and even moral policing. Majumder cautioned that this could result in moral and social harassment for individuals impacted.

In addition, the disclosure may make identity theft and fraud easier because hackers might use the information for nefarious ends. Consumers may experience fraudulent transactions or phishing attempts that take advantage of their divulged personal data. Furthermore, since the compromised data contains contact information, there is a greater chance of unsolicited solicitation and targeted harassment.

Reputational Damage and Loss of Trust

The reputation of Durex India is probably going to suffer greatly as a result of the data breach. Any brand, but particularly those selling personal lubricants and condoms, needs to be able to rely on trust. When buying such products, customers anticipate a great degree of confidentiality and privacy. Consumer confidence in Durex India may decline significantly as a result of this betrayal of trust.

Potential buyers may be discouraged from buying Durex goods due to negative publicity surrounding the breach, since they may worry that their privacy may be violated. In the fiercely competitive personal care sector, Durex India’s sales and market share may be adversely impacted by this lack of trust. Additionally, current clients can move to rivals who are thought to have superior data security procedures.

Legal and Regulatory Ramifications

Durex India may be subject to legal and regulatory repercussions as a result of this data breach, in addition to the immediate effects on consumers and the company’s reputation. Companies must use appropriate security measures to safeguard the personal information of their clients in accordance with India’s data protection legislation. Majumder notified the Computer Emergency Response Team of India (CERT-In) of the incident; if this is not done, authorities may take regulatory action.

If Durex India fails to sufficiently protect consumer data, regulatory organizations may start proceedings against them. Affected customers may file lawsuits against the business, demanding damages for any potential harm the data breach may have caused. The financial and operational resources of the corporation may be further taxed by these legal battles.

The Durex India data breach serves as a clear reminder of how crucial data security is, especially for companies that handle sensitive consumer data. Customers could suffer greatly as a result, from identity theft to social harassment. Durex India needs to take prompt, open action to lessen the consequences, safeguard impacted consumers, and rebuild confidence in its reputation. Businesses need to give cybersecurity top priority as data breaches happen more frequently in order to safeguard their clients and uphold their good name in an increasingly digital society.

How to Trademark a Name

Ishaan negi.

Ishaan is a student at Sri Venkateswara College, University of Delhi. Throughout his school days, he has been an avid reader, writer and speaker. He has led multiple sessions concerning varying issues under his non profit organization: 'Candescentt'. With unbiased opinions and varying sources, he reports all sides of any topic relating to the tech industry.

Recommended For You

In the world of finance, where giant corporations and blue-chip stocks often dominate the headlines, it is not every day that a small-scale business catches the attention of...

Trump Accuses Zuckerberg of Conspiracy, Threatens Legal Consequences for Meta

Mark Zuckerberg, the CEO of Meta, is the target of new accusations from former US President Donald Trump, who claims the internet mogul is conspiring to harm him....

Samsung has always been one of the leading players in the foldable phones market, and yet, their recent offering, the Galaxy Z Fold 6, has made people wonder....

Sawhney Automobiles, 8 Employees & ₹4,000 Crore: IPO That Shocked India

Produce Read-Only or Write Protected USB Flash Drives with Nexcopy USB Duplicator Systems.

Related News

HDO Box App on PC (Windows 11/10/8.1 & Mac) with Nox player

How to Delete All Emails on Gmail

Water-Fueled Cars: A Revolutionary Breakthrough or Elaborate Hoax?

How To Beat Riddle School 5

What Is The California AI Regulation Bill SB 1047: Everything You Need to Know About It

Amazon’s AI Spending Plans Keep Stock from Joining the Tech Rebound: What Investors Need to Know

Amazon CEO Andy Jassy Says Gen AI Saved $260 Million and 4,500 Developer Years

Tech and Business News from around the world. Follow along for latest in the world of Tech, AI, Crypto, EVs, Business Personalities and more. reach us at [email protected]

Advertise With Us

Browse by tag.

Welcome Back!

Remember Me

Create New Account!

Fill the forms bellow to register

Retrieve your password

Please enter your username or email address to reset your password.

Are you sure want to unlock this post?

Are you sure want to cancel subscription.

We use cookies to ensure best experience for you

SOUTHEAST ASIA
Leaders Speak
Brand Solutions
Alleged HDFC Bank subsidiary data breach: The inside story

Muqbil Ahmar ,
Updated On Mar 11, 2023 at 11:42 AM IST

Did Lentra pay the hackers before the data was leaked?
Why did the hackers release the data if they got the ransom?
Worst case: Hackers leaked the data to show Lentra that they had it in their control and to drive home the point that they should pay the ransom. If that is the case, there may be other organizations' data with them that may be waiting to get leaked.
By Muqbil Ahmar ,
Published On Mar 10, 2023 at 08:55 AM IST

All Comments

By commenting, you agree to the Prohibited Content Policy

Find this Comment Offensive?

Foul Language
Inciting hatred against a certain community
Out of Context / Spam

Join the community of 2M+ industry professionals

Subscribe to our newsletter to get latest insights & analysis., download etcio app.

Get Realtime updates
Save your favourite articles

hdb financial services
hdb financial
cybersecurity
data breach

Personal Finance
Today's Paper
Partner Content
Web Stories
Entertainment
Social Viral

Over 60% companies in India follow problematic data practices: Study

These practices, as defined by the report, include excessive data collection, secondary processing without consent, among others.

Listen to This Article

Vadhvan Port in Maha to generate 1.2 mn jobs for youth, women: Sonowal

Pharma's bitter pill: Falling API prices signal predatory play by China

Trai extends mandatory whitelisting deadline by a month to October 1

Public sector industries must prioritise MSMEs in buying raw materials: MoS

Several restaurants listed on Swiggy and Zomato believe that the recent platform fee hike by online food aggregators will go up further.

QSR sales struggle as Zomato, Swiggy's expansion fragments market share

tax, taxes, taxation, tax evasion, I-T raids, Income tax

Got tax refund text? Verify source, don't divulge sensitive information

The Union Ministry of Electronics and Information Technology (Meity) is planning to deploy a set of designated officials, who will be trained as specialised data experts and analysts, across multiple ministries and departments of the central governme

Meity plans to deploy experts for streamlining internal govt data use

Most fintech, banking apps tap into users' location, other information

Google makes U-turn, dropping plan to remove cookies on Chrome browser

Google planning to keep third-party cookies in its Chrome browser

Don't miss the most important news and views of the day. Get them on our Telegram channel

First Published: Aug 30 2024 | 8:43 PM IST

Explore News

Suzlon Energy Share Price Adani Enterprises Share Price Adani Power Share Price IRFC Share Price Tata Motors Share Price Tata Steel Share Price Yes Bank Share Price Infosys Share Price SBI Share Price Reliance shares
Latest News Company News Market News India News Politics News Cricket News Personal Finance Technology News World News Industry News Education News Opinion Shows Economy News Lifestyle News Health News
Today's Paper About Us T&C Privacy Policy Cookie Policy Disclaimer Investor Communication GST registration number List Compliance Contact Us Advertise with Us Sitemap Subscribe Careers BS Apps
ICC T20 World Cup 2024 Business Standard at 50 Paralympics 2024 Jammu Kashmir Elections 2024

Law of torts – Complete Reading Material
Weekly Competition – Week 4 – September 2019
Weekly Competition – Week 1 October 2019
Weekly Competition – Week 2 – October 2019
Weekly Competition – Week 3 – October 2019
Weekly Competition – Week 4 – October 2019
Weekly Competition – Week 5 October 2019
Weekly Competition – Week 1 – November 2019
Weekly Competition – Week 2 – November 2019
Weekly Competition – Week 3 – November 2019
Weekly Competition – Week 4 – November 2019
Weekly Competition – Week 1 – December 2019
Sign in / Join

Cybercrimes
Cybersecurity
data privacy
Data protection laws
Featured Student Assignments (LawSikho)

Case study on data breach scandal of Byjus

This article has been written by Vishal Raghavan pursuing the Diploma in Business Laws for In-House Counsels from LawSikho .

Table of Contents

Data breach issues in recent times. How are tech companies a target?

The next warfare will not be on Sea, Air or Land but on CyberSpace. There may not be Generals preparing War Strategies or Tanks rolling on the ground to hit targets nor gung-ho Infantry soldiers on the ground who will be facing direct enemy automatic fire.

Instead, there will be a group of nerds wearing cool sweatshirts and pants with a diet coke and some Nachos on their desk along with their Arsenal of Computers and Electrical devices. Today a computer with an internet connection is enough to disrupt a country’s economy.

In this era of mammoth corporations and industries, many companies are targeted by hackers as they are the Gold Mine of Data. The definition of Data includes everything that belongs to an individual or a Company like an Email ID, Address, Personal Documents, Name, Age, Biometrics, Chat logs etc. Hackers target them as they are sitting ducks, due to loopholes in servers or weak cyber security. Once such data is in the wrong hands it can create havoc like using it for illicit activities.

Companies like Apple, Amazon, Google, Microsoft and other elite companies of Silicon Valley all have a history of getting hacked .

In this article, we shall look into one of India’s biggest Unicorn EdTech firm ‘Byju’s’. How their servers have been breached not once but twice all during this Coronavirus-induced pandemic from 2020-2021. How Data in the wrong hands could disrupt a country’s economy or individuals’ privacy. What are the parties involved in the Cloud-Based Environment? Who will be liable for the breach? Personal Protection Bill 2019 of India. Definitions of Data under Indian and European laws context. Measures to be taken by companies to prevent and mitigate. Legal recourse in case of a breach and creating Cyber Security awareness among netizens.

Its raining unicorns in India

It’s been more than one year and the pandemic has made us stick to our homes as bunkers for soldiers during the war. But this virus has not affected the startup ecosystem in India, they are still emerging big with bright ideas and solutions to offer. Since 2020 there is a rise and shift in Indian Unicorns. The phrases ‘It’s raining unicorns for India’ and ‘India’s unicorn party is just getting started’ were everywhere in the media. This year 2021 the Indian Startup Ecosystem has seen 14 startups entering the elite class of Unicorn which includes Cred, Groww, Meesho, Pharmeasy to name a few. Byjus an Edtech platform that provides online coaching for students from Grade 5 to various coveted competitive exams like IAS, JEE & NEET, upgraded into Unicorn class in 2020 third after Paytm and OYO Rooms. But in 2021 along with an increase in counts of Unicorns, Byjus directly jumped from third to first biggest unicorn in India.

There is almost no Indian who doesn’t know Byjus, as they have a huge marketing budget. Their TV commercials aired with Film Industry’s seasoned actors like Shah Rukh Khan, Mohan Lal and Sports Tycoon like Virat Kohli. Indian cricket teams one of the many sponsors include Byjus and their Blue Jersey is engraved on the front with their initials.

Byju’s today being mammoth and second to none in the Education industry has recently made a huge controversy as their servers faced a Data Breach of its customers in June 2021. Let us discuss the series of data breach incidents that happened with Byjus within a span of 1 Year, From 2020-2021?

Byjus faced its first data breach in November 2020 followed by June 2021 breach.

November 2020 data breach

Data of White Hat Junior newly acquired by Byjus was breached. An independent cyber security researcher who doesn’t want to be named reported to the company that a server containing users Email, Name, Address, Age, Phone Number, Chat logs, user’s parent’s data and staff chats were lying unsecured and open to anyone to see, copy or download.

Company’s collect user’s data. This data is used to verify for registration and authentication on their portal. Data not only includes these but also Voice/Chat logs between students/parents and teachers, users most watched lesson/videos etc. Such data are stored either on the company’s server or a third-party cloud service provider which manages the data of the company.

June 2021 data breach

This breach was a slap to the face of this Unicorn, as this is the second consecutive breach faced by Byjus. The previous lesson wasn’t sufficient and ignored the cyber security lessons which they teach to their students in their courses.

This breach was reported in June which was open at least since 14 th June 2021 as reported by Mr. Anurag Sen a Cyber Security researcher by profession. Byjus depends on Bengaluru-based startup ‘Salesken.ai’ which is an AI Customer Relationship Management services provider, for its Customer Service Management. Now as CRM is one of the prominent factors which moves the business used in business development. They collect customers data like voice and chat logs and use it to track customers’ behavior and use it to cater to them services and offers. The data include everything from Email, Address, Age, chats, mobile number etc. Most of the data was of Whitehat Junior, newly acquired by Byjus.

Now one of the servers was unprotected without any security encryption or password and open to anyone to copy the data. More than 20 thousand user’s data was breached. Salesken claims that there wasn’t any breach as it was an open-source and staging server meaning, not the actual one where real data is stored.

Byjus which gives lessons on the Data breaches and the country’s new PDP bill have themselves been breached not once but twice. If an EdTech giant can face this then any simpleton is vulnerable to this. This is not the only company but there are many Big ones like Apple, Amazon, Google and Microsoft who had the same plight.

What can be done with data?

In the Cyber Space, there is a saying ‘Data is the new oil’. Today with data under one’s fingertips is more terrifying than the Monopoly of Oil. Human’s daily shores and uses involve some or the other electronic device. From Mobile journaling to photography, shopping to repair services, we have technology and applications for everything.

Websites and applications like Facebook, Zomato, BigBasket, Dominos all are free to download and use. Now social media websites like Facebook, Gmail to name a few are totally free to users. At least that’s what they claim. In Legal Language there is the Latin term ‘Quid Pro Quo’ meaning ‘Favor for a Favor’, this applies in the cyberspace too where social media companies claim to be free but they take our data in return. We must have seen while installing an application on our phones that its mandatory to grant permission to allow them access our phone to use the services.

We grant permission by accepting the Terms and Conditions of the application without even reading it. If you check what all permissions are granted, we can see that they have access to our SMS, Calls, Photos, System, Camera, and Microphone.

Parties involved in a cloud-based environment?

Byjus and many other startups depend on cloud-based services to store and manage data viz- Amazon AWS, IBM cloud, Microsoft Azure Cloud Storage etc. Byju’s uses Amazon AWS or Amazon Web Service as their cloud services partner.

Now there are three parties involved-

Data Holder – third-party cloud service provider, like Amazon AWS, IBM Cloud, Microsoft Azure Cloud Storage

Now Salesken comes under ‘Data Holder’ although they are not a cloud services provider but an AI-based CRM or Sales software.

Who is liable for the breach?

In cloud environment breaches, under US law the Data Owner or the Commercial Services provider are liable even if it’s a mistake of the Data Holder or Cloud service provider. Because Data Holder is a vendor and they are bound by Standard Vendor Agreement Contracts where consequential damages (i.e. Indirect or Special Damages or Loss of Product or Loss of Profit or Revenue) are excluded and only cap direct damages.

In the Indian context, currently, there are no specific provisions for ‘Data’. There are no provisions specifically for Data Breach in the IT Act 2000 except Section 43 A but since this act was enacted in 2000 the scope and use of this act is very limited. But a separate law i.e., ‘PDP Personal Data Protection Bill’ is on the table for framing. This will be a separate law specifically for Data Protection.

PDP Bill 2019

This bill was introduced in Lok Sabha on December 11 th, 2019 by Mr. Ravi Shankar Prasad, Minister of Electronics and Information Technology. This bill amends the Information Technology Act 2000 to delete the provision of compensation payable by Companies for failure to protect personal data.

It categorizes Data into various subgroups like Biometric Data, Financial Data, Sensitive Personal Data, Genetic Data, Health Data and accordingly, penalizes defaulters. Rights of Data Principal i.e. Natural Person whom the personal data relates includes i) Obtain confirmation from the fiduciary on whether their personal data has been processed ii) seek correction of inaccurate, incomplete, or out-of-date personal data and others.

Data can be processed by a fiduciary only if consent is provided by individuals. Exceptions being by the State for providing services, legal or medical proceedings.

Right to privacy case

It was Justice Puttaswamy’s landmark judgement in August 2017 ( Justice K.S Puttaswamy & another Vs. Union of India ) which recognized the Right to Privacy as a fundamental right under Article 21- Right to Life and Personal Liberty in the Indian Constitution.

When an individual’s data is breached his privacy is also breached. As data contains an individual’s personal information which can be used as leverage. This judgement protects victims of data breach and gives rights to citizens.

Definitions of DATA under legal instruments

Under Indian context, the Information Technology or IT act 2000 – Section 2(1)(o) – “data” means a representation of information, knowledge, facts, concepts or instructions which are being prepared or have been prepared in a formalised manner, and is intended to be processed, is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printouts magnetic or optical storage media, punched cards, punched tapes) or stored internally in the memory of the computer;

The European Union’s GDPR or General Data Protection Regulations Article 4.1 defines – “personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

From the above two definitions of Indian and European context, we can confer that data includes any information of a Natural Person or individuals Name, Sex, Age, Address, Occupation, Email ID, Phone Number, Employment Status, Chats, Pictures, Call logs. This definition is not exhaustive.

What measures should be taken by companies?

Besides allocating a huge budget for marketing and branding today its very pertinent that a good budget is allocated for Cyber Security. The new IT Rules mandate to appoint a Nodal Officer in every company who has expertise in Cyber Security and Cyber Threat Intelligence. A third-party Cyber Security firm should be hired to periodically audit the company’s Cyber Space. If the data is compromised then the users must be notified immediately.

What is the legal recourse that can be taken?

The first thing He/She must do is change the password of Email IDs and other accounts associated with the breached portal.
Enable 2FA or 2 Factor Authentication or Multi-Factor Authentication. It’s double security to accounts where along with the conventional password an OTP is required to be entered.
If spam messages, calls, or emails are received then ‘Report and Block’ them.
If still someone is harassing by asking to send money, pictures or offering a Job after paying some money or offers which are ‘Too good to be True’ then immediately contact the Local Police Station and lodge a complaint.

The 2FA or Multi-Factor Authentication is the best Anti Hack Tool as suggested by Mr. Rakshit Tandon, who is one of the best Cyber Security Experts in India now supporting the Indian Police and Defense agencies by educating, advising, consulting and working with them.

From Military systems to corporations like Apple and Google to Simpleton internet users, all are vulnerable to Data Breach and Hacking. Military, Companies and Simpletons all of them use the internet for their office work, school, training, and entertainment. Today it’s very easy to get hacked or data getting breached. From the above information, we have seen that if big companies like Byjus can have a Data breach then even a simpleton’s data can be compromised and how Cyber Security and Cyber awareness is very important to avert such situations. Hackers use small loopholes in the system and create a backdoor which ultimately compromises the whole company and the user.

https://yourstory.com/2020/11/whitehat-jrs-open-backend-leaked-data-breach-byju/amp
Indian tech startup exposed Byju’s student data | TechCrunc
Thomson Reuters, Who is liable when a data breach occurs? | Thomson Reuters
https://www.moneycontrol.com/news/technology/a-server-leak-put-student-data-from-byjus-at-risk-says-report-7109731.html
PRS Legislative Search, The Personal Data Protection Bill, 2019 (prsindia.org)

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA

TURBOCHARGE YOUR LAW PRACTICE with AI as copilot

Register now

Thank you for registering with us, you made the right choice.

Congratulations! You have successfully registered for the webinar. See you there.

The latest AI governance developments and professional news.

Breaking news, essential resources and more, sent right to your inbox.

The day’s top stories from around the world

Stay on top of the latest AI governance news and developments of the profession.

Original reporting and feature articles on the latest privacy developments

Where the real conversations in privacy happen

Exploring the technology of privacy

A roundup of the top Canadian privacy news

A roundup of the top European data protection news

A roundup of the top privacy news from the Asia-Pacific region

A roundup of the top privacy news from Latin America

A roundup of US privacy news

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.

Chinese Personal Information Protection (CIPP/CN)

Learn compliance with the three major laws (PIPL, CSL, DSL) forming the framework of Chinese privacy.

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

Develop the skills to design, build and operate a comprehensive data protection program.

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

Introductory training that builds organizations of professionals with working privacy knowledge.

Meet the stringent requirements to earn this American Bar Association-certified designation.

COMING SOON For professionals who are responsible for compliance with China's major privacy laws - PIPL, DSL, CSL.

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

The global standard for the go-to person for privacy laws, regulations and frameworks

The first and only privacy certification for professionals who manage day-to-day operations

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

Access all reports and surveys published by the IAPP.

The IAPP publishes longform, web-based resource articles to provide in-depth analysis on relevant topics in the privacy space.

Access all white papers published by the IAPP.

Access all infographics published by the IAPP.

The Privacy Advisor Podcast provides interviews with the privacy world's most interesting voices.

The IAPP's video library provides insights, reactions and opinions on a range of topics, including regulatory developments, areas of privacy operations management and more.

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.

On this page, you’ll find articles and tools to help you get a basic understanding of the job of the privacy pro and data protection laws and practices around the globe.

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

The call for speaking proposals is open. Choose a timely privacy topic and submit a breakout session idea for Summit 2025.

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

P.S.R. focuses on the intersection of privacy and technology. Explore the 2024 agenda and register today.

Gain actionable insights from European experts to improve compliance and best practices for your data protection operation. Register today to secure your seat.

Gain exclusive insights on privacy issues affecting business in Australia and Aotearoa New Zealand.

View our open calls and submission instructions.

Increase visibility for your organization — check out sponsorship opportunities today.

Start taking advantage of the many IAPP member benefits today

See our list of high-profile corporate members—and find out why you should become one, too

Don’t miss out for a minute—continue accessing your benefits

Resource Center

All the privacy tools and information you need in one easy-to-find place.

Tools and Trackers
Global Privacy Directory
Enforcement Database
Westin Research Center
Web Conferences
Career Central
Privacy Vendor Marketplace

Introduction to Resource Center This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center For any Resource Center related inquiries, please reach out to [email protected] .

Top 10 operational impacts of India’s DPDPA – Data breaches

Chirag Jain

Rishi Anand

Shreya Singh

Aug 22, 2024

This article is part of a series on the operational impacts of India's DPDPA. The full series can be accessed here .

Published: August 2024

Contributors:

Navigate by Topic

Prevention versus cure

Penalty assessment

Extrajurisdictional enforcement

Right to compensation

India's need for tighter cybersecurity has been growing with increasing digitization and connectivity, both locally and globally. While India's government has taken steps to enhance cybersecurity measures through policies and regulations, there has been a rapid surge in cyber incidents, including ransomware attacks, phishing schemes and data breaches.

Regarding data security, in 2022 the Indian Computer Emergency Response Team, the national agency tasked with performing various functions around cybersecurity, issued directions related to information security practices, procedures, prevention, response to and reporting of cyber incidents.

Since then, the government's initiatives indicate a shifted focus on regulating and imposing higher penalties on data fiduciaries, given their crucial influence on managing the flow of personal data, rather than putting their whips down against cybersecurity incidents.

India's Digital Personal Data Protection Act defines a personal data breach as "any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data."

While this definition has more or less remained identical through all drafts of the data protection legislation deliberated by the government prior to the DPDPA's passage, there has been a major shift in the regulatory approach compared to the foremost framework, the Personal Data Protection Bill , released in 2018. While the 2018 framework enumerates the obligations of data fiduciaries in the case of a personal data breach in finer detail, the DPDPA outlines the broad contours of the obligations within just two provisions under Section 8.

First, as a preventive measure, the DPDPA requires data fiduciaries to take reasonable safeguards to protect personal data in their possession or under their control, including with respect to any processing undertaken by them or on their behalf by a data processor. Second, as a corrective measure in the case of a breach event, the DPDPA requires data fiduciaries to inform the Data Protection Board, as well as each affected data principal, of such personal data breach.

As such, the DPDPA neither sets out the security standards nor suggests the relevant safeguards or guidelines would be outlined under any delegated legislation or rules. This leaves data fiduciaries with some room and flexibility to determine their own processes and guardrails based on the nature of the personal data they process.

However, before going back to the drawing board, it would be prudent for data fiduciaries to take a cue from existing legislation on the subject, the most fundamental being the Sensitive Personal Data or Information Rules , which set out a two-fold baseline standard for when a body corporate would be considered in compliance with reasonable security standards and procedures.

First, the body corporate must have comprehensively documented information security programs and policies commensurate with the nature of the personal data being protected. Second, it must implement security control measures as per such documented policies and be able to demonstrate the same to the authorities in case of an information security breach.

If a parallel is to be drawn with the DPDPA, the prerequisite for compliance by the data fiduciary would be formulating organization-level security policies and awareness modules for both the technical aspects of the security safeguards and the systematic processes that will be triggered in case of data breaches. However, merely documenting, building and implementing processes and policies may not be enough to demonstrate the reasonable security safeguards taken by a data fiduciary.

Given the heavy quantum of fines prescribed under the DPDPA, data fiduciaries ― especially those processing sensitive personal data, like financial, health and children's information ― should invest in their cybersecurity infrastructure and conduct regular training sessions and awareness programs to instil readiness among in-house departments like legal, IT, business and customer services, and procure adequate cyber liability insurance policies to offer comprehensive protection.

The DPB has the power to impose fines of up to INR250 crore for failure to implement reasonable security safeguards to prevent a personal data breach.

To determine the monetary penalty to impose, the DPB will consider the nature, gravity and duration of the breach; the type and nature of the personal data affected; any action taken to mitigate the effects and consequences; and the timeliness and effectiveness of any mitigative action. Hence, it is crucial for a data fiduciary to assesses the foregoing factors while formulating its security policies and implementing a cybersecurity infrastructure.

A quick look at practices in other relevant jurisdictions indicates authorities, like the European Data Protection Board, Ireland's Data Protection Commission and the U.S. Federal Trade Commission, have become increasingly stringent in imposing penalties in cases when there has been a conscious failure to take reasonable steps to secure data and fix critical vulnerabilities identified by data fiduciaries.

The DPDPA does not set out the timelines, manner or form in which data fiduciaries are obligated to inform the DPB and affected data principals of any personal data breach. These details are expected to be provided under implementing rules.

When it comes to penalty assessment, another key factor to consider is how the DPB and CERT-In will interact once the DPDPA and its rules are enforced. Organizations are currently required to report cyber incidents, including data breaches, to the CERT-In within six hours of discovery.

Further, the scope of the CERT-In directives is much broader in terms of applicability and is not just limited to personal data breaches. To this end, there is undoubtedly an overlap in the reporting obligations of a data fiduciary for personal data breaches, allowing for penalties to be levied under both frameworks if authorities are not notified.

Despite this, there has not been a single instance of reprimand or levy of penalty by any authority to date. Therefore, to the extent penalties are concerned, the government may reassess and demarcate the authority, powers and functions of the DPB and the CERT-In regarding reporting cyber breaches and incidents.

The DPDPA's scope extends to the processing of digital personal data outside India in cases when the processing pertains to offering goods or services to data principals within the country.

This means data fiduciaries processing personal data in jurisdictions outside India must also comply with the DPDPA's provisions if the processing pertains to services or goods offered to Indian data principals.

However, enforcement of the extraterritorial application, specifically in cases of personal data breaches, is undoubtedly riddled with challenges. Enforcing the DPDPA on foreign entities may be inherently complex due to the jurisdictional limitations and differing legal frameworks of other countries.

Cooperation from international counterparts is crucial but often difficult to secure, leading to potential enforcement gaps.

Further, compliance by data fiduciaries offering their services and goods to data principals in India can incidentally, not systematically, be burdensome given the increased operational costs.

The DPDPA imposes a substantial penalty of INR250 crore for data breaches, which is credited to the Consolidated Fund of India. Unlike many data protection laws, including the EU General Data Protection Regulation, the DPDPA does not compensate data principals whose personal data has been breached.

The absence of explicit provisions for compensating data principals, especially given that such measures were included in earlier drafts of data protection legislation, has been a contentious issue. While some argue the government aims to reduce frivolous litigation, others believe this lack of compensation may deter data principals from reporting data breaches altogether.

Additionally, since civil courts lack jurisdiction over matters arising from the DPDPA, data principals may be unable to seek compensation either from the DPB or the courts.

To ensure the DPDPA's efficacy, it is imperative to clearly define the roles of the CERT-IN and the DPB and to establish precise guidelines for reporting personal data breaches. Moving beyond mere awareness programs, it will be interesting to observe how the government plans to incentivize users to report such incidents, thereby fully realizing the DPDPA's objectives.

The IAPP Resource Center additionally hosts an " India " topic page, which updates regularly with the IAPP's latest news and resources.

Top 10 operational impacts of India's DPDPA

The overview page for the full series can be accessed here .

Part 1: Scope, key definitions and lawful data processing
Part 2: Individual rights
Part 3: Obligations of data processing entities
Part 4: Enforcement and the Data Protection Board
Part 5: Cross-border data transfers
Part 6: Comparative analysis with the GDPR and other major data privacy laws
Part 7: Consent management
Part 8: Data audits for significant fiduciaries
Part 9: Data protection impact assessments
Part 10: Data breaches

Submit for CPEs

CASE fined SG$20,000 for personal data breach

main#clickShareSocial">email
main#clickShareSocial">telegram
main#clickShareSocial">whatsapp
main#clickShareSocial">wechat
main#clickShareSocial">pinterest
main#clickShareSocial">line
main#clickShareSocial">snapchat
main#clickShareSocial">reddit

The Consumers Association of Singapore (CASE) has been fined SG$20,000 for breaching protection and accountability obligations. The Personal Data Protection Commission (PDPC) published a judgement saying that CASE failed to "put in place reasonable security arrangements to protect the personal data in its possession of under its control".

It added that CASE failed to "develop and implement policies and practices that are necessary to meet its obligation under the Personal Data Protection Act (PDPA)".

Don't miss: 'Google is a monopolist,' rules US judge in antitrust case

The breaches led to two separate incidents in October 2022 and June 2023. According to documents seen by MARKETING-INTERACTIVE, up to 22,542 e-mail addresses in October 2022 and consumer data of 12,218 individuals in June 2023 in CASE's possession were possibly compromised.

The first incident was notified to PDPC involving a threat actor accessing CASE's e-mail accounts and sending phishing e-mails on 8 and 9 October 2022. Some of CASE's consumers received unsolicited e-mails from "“[email protected]” on 8 October, an account used to communicate with consumers who lodge complaints on its website.

The e-mail told consumers that their complaints had been escalated to the "collections and compensation department" and that they were eligible for a compensation payout. Consumers were then requested to click on a chat icon to fill in their banking details to complete the payment process.

Similar e-mails were sent from "[email protected]”, the next day. The e-mail account is used to communicate with consumers who are in the mediation stage. Of these incidents, three consumers were affected, with the victims losing a collective amount of SG$217,900.

Investigations by a private forensic expert engaged by CASE revealed that the threat actor had signed in to the affected accounts using correct login credential which were likely retrieved from a phishing attack on a CASE employee.

The investigation also revealed that some of CASE's computers no longer supported or maintained with security updates by vendors as they were running on end-of-life operating systems.

While PDPC was investigating the first incident, it received a complaint on 22 June 2023 regarding a phishing e-mail that reproduced a consumer's complaint submitted to CASE.

Subsequently, PDPC was informed by a total of 28 individuals that they received similar e-mails from e-email addresses which did not originate from CASE's domains. The investigations did not yield a definitive conclusion regarding how the data breach happened. Through PDPC's findings, it said it found CASE to have breached the protection obligation.

PDPC said that CASE's password management policy was "manifestly insufficient" to safeguard the personal data in its possession. It added that CASE did not enforce its own password policy and failed to implement an adequate password policy.

In tandem, PDPC said CASE did not have in place sufficient logging and monitoring practices to detect suspicious or unusual activities or unauthorised access promptly and that it did not have a documented IT infrastructure management plan or process for the protection and security of its systems.

As such the PDPC determined that CASE should pay a financial penalty of SG$20,000 within 30 days from the date of the notice. It also directed CASE to review and update policies relevant to personal data protection, rectify all security gaps identified and more.

In a statement case said it has "received and fully accept the written decision by the PDPC issued on 9 July 2024, and the financial penalty of $20,000."

"In the two incidents that occurred in October 2022 and June 2023, CASE promptly alerted affected consumers and reported the matter to the Police and the PDPC. CASE also promptly engaged the services of an IT forensic investigation firm and implemented various measures to strengthen our policies and systems against unauthorised access. CASE is committed to safeguarding consumer’s data and has complied with PDPC’s directives to update our personal data protection policies and to rectify security gaps. We will continually review our systems and practices to prevent a recurrence of such incidents," added CASE in its statement.

In November last year, Ascentis, the developer for Starbucks Singapore was charged SG$10,000 for its failure to protect the personal data of more than 300,000 members for the chain’s rewards programme.

According to the PDPC, the developer had “requested and agreed for the investigation to be handled, and voluntarily provided and admitted” to the data breach.

The personal data of these individuals, consisting of names, email addresses, dates of birth, membership details relating to the rewards program, physical addresses and telephone numbers were exfiltrated in the incident.

Voluntary undertakings were implemented by the company which included enhanced security to its consumers’ data and other precautionary measures.

Explore transformative trends to empower your brand for sustainable growth. Join 500+ marketing minds at Digital Marketing Asia 2024 Singapore on 1-2 October and uncover transformative trends to empower your brand, network with industry leaders and collaborate across industries, and discover real-life marketing wins and powerful ideas.

Related articles: CASE sees over 538% spike in entertainment complaints in first half of 2024 Have you met CASE's Price Kaki Champions? Sentosa sky lantern attendees who file reports with Case to get full refund

Free newsletter

Get the daily lowdown on asia's top marketing stories..

We break down the big and messy topics of the day so you're updated on the most important developments in Asia's marketing development – for free.

An enquiry into rehabilitation as a climate change adaptation policy: the case of the Western Ghats of Kerala, India

Published: 29 August 2024
Volume 89 , article number 201 , ( 2024 )

Cite this article

Renjith Raj ORCID: orcid.org/0000-0001-5090-6220 1 &
Arfat Ahmad Sofi 2

The Western Ghats have been declared as a World Heritage Site by UNESCO. Besides, it is classified as one of the world’s 36 biodiversity hotspots by Conservation International. The Western Ghats of Kerala have experienced devastating landslides and floods in recent years, which are triggered by climate change. This alarming situation calls for policymakers to develop a comprehensive climate adaptation policy at the local level. However, no study has yet thoroughly investigated this critical issue. Therefore, this study explores the prospects and trade-offs of climate rehabilitation policies for families living in the highly landslide- and flood-prone areas of the Western Ghats in Kerala, India. We have undertaken a mixed methodology comprising four focus group discussions followed by empirical analyses. Towards this, a semi-structured questionnaire is framed to gather relevant information based on the outcomes. The data are analyzed using robust logistic regression models. The findings indicate that most agricultural worker families support the rehabilitation policy, given their lower opportunity costs due to the absence of farmland ownership. On the other hand, agricultural families face considerable trade-offs regarding rehabilitation. Most agricultural families prefer to rehabilitate within a short distance from the current residence or construct a retaining wall as they fear rehabilitation to distant places will gravely affect their livelihood. This research highlights the potential for implementing a rehabilitation policy for marginalized communities heavily exposed to climate risks. Additionally, constructing retaining walls should also be a primary focus of the Government.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save.

Get 10 units per month
Download Article/Chapter or eBook
1 Unit = 1 Article or 1 Chapter
Cancel anytime

Price includes VAT (Russian Federation)

Instant access to the full article PDF.

Rent this article via DeepDyve

Institutional subscriptions

Source: The Indian Express.Note: "Panel A: Aerial images of the Kerala floods, August 2018. Panel B: Kavalappara, Malappuram district, landslides occurred on August 8, 2019, which led to a casualty of 59 people. Panel C: Pettimudi, Idukki district, landslides occurred on August 7, 2020, where 70 people were buried alive. Panel D: Kootickal village bordering Idukki and Kottayam districts, landslides occurred on October 17, 2021, which led to a death toll of 15"

Source : Report of the Western Ghats Ecologically Expert Panel (2011)

Source: Kerala State Disaster Management Authority

The state of Kerala lies in the southern part of the west coast of India.

Mesoscale cloudburst is the technical term to indicate a rainfall of 50 mm in 2 h.

Rainfall erosivity is an index that describes the power of rainfall to cause soil erosion.

Achu, A. L., Thomas, J., Aju, C. D., Vijith, H., & Gopinath, G. (2024). Redefining landslide susceptibility under extreme rainfall events using deep learning. Geomorphology, 448 , 109033.

Article Google Scholar

Assam state disaster management authority. 2022. In Assam flood report 2022.

Bahinipati, C. S., & Patnaik, U. (2020). Does development reduce damage risk from climate extremes? Empirical evidence for floods in India. Water Policy, 22 (5), 748–767. https://doi.org/10.2166/wp.2020.059

Barua, P., Rahman, S. H., & Molla, M. H. (2017). Sustainable adaptation for resolving climate displacement issues of south eastern islands in Bangladesh. International Journal of Climate Change Strategies and Management., 9 (6), 790–810. https://doi.org/10.1108/IJCCSM-02-2017-0026

Eckstein, D,. Kunzel, V., Schafer, L., Winges, M., (2020). GLOBAL CLIMATE RISK INDEX 2020. In Who suffers most from extreme weather events? Weather – related loss events in 2018 and 1999 to 2018. GERMANWATCH. Briefing paper.

Gadgil M., (2011). Report of the western ghats ecologically expert panel. In Ministry of environment, forests and climate change, government of India.

Gopinath, G., Jesiya, N., Achu, A, L., Bhadran, A., Surendran, U, P., (2023). Ensemble of fuzzy-analytical hierarchy process in landslide susceptibility modeling from a humid tropical region of Western Ghats, Southern India. In Environmental science and pollution research.

Gorman, C. E., Torsney, A., Gaughran, A., McKeon, C. M., Farrell, C. A., White, C., Donohue, I., Stout, J. C., Buckley, Y. M., (2023). Reconciling climate action with the need for biodiversity protection, restoration and rehabilitation. In Science of the total environment. 857, Part 1.

Government of Kerala. (2020). Memorandum: Kerala Floods – 2019.

Gupta, V., & Jain, M. K. (2020). Impact of ENSO, global warming, and land surface elevation on extreme precipitation in India. Journal of Hydrologic Engineering., 25 , 1.

Haque, U., da Silva, P. F., Devoli, G., Pilz, J., Zhao, B., Khaloua, A., Wilopo, W., Andersen, P., Lu, P., Lee, J., Yamamoto, T., Keelings, D., Wu, J. H., & Glass, G. E. (2019). The human cost of global warming: deadly landslides and their triggers (1995–2014). Science of the Total Environment., 682 , 673–684. https://doi.org/10.1016/j.scitotenv.2019.03.415

Hunt, K. M. R., & Menon, A. (2020). The 2018 Kerala floods: a climate change perspective. Climate Dynamics., 54 (3–4), 2433–2446.

IPCC. (2022). Climate change 2022: impacts, adaptation and vulnerability. In summary for policymakers.

IPCC. (2023). Assessment round 6 synthesis report: climate change 2023.

Irshad, S. M., & Solaman, S. S. C. (2022). Identity, space and disaster: a case study of Pettimudi landslide in Kerala. In Sociological Bulletin., 71 (3), 437–453. https://doi.org/10.1177/00380229221094785

Kerala Forest Department., (2021). Kerala forests statistics 2021. In Government of Kerala.

Krishnan, R., Sanjay, J., Gnanaseelan, Chellappan., Mujumdar, Milind., Kulkarni, Ashwini., Chakraborty, Supriyo., (2020). Assessment of climate change over the Indian region. In A report of the ministry of earth science (MoES), government of India.

Kumar, P., & Brewster, C. (2022). Co-production of climate change vulnerability assessment-a case study of the Indian lesser Himalayan region. Darjeeling. Journal of Integrative Environmental Sciences., 19 (1), 39–64. https://doi.org/10.1080/1943815X.2022.2033792

Kumar, P. V., & Naidu, C. V. (2020). Is pre-monsoon rainfall activity over india increasing in the recent era of global warming? Pure and Applied Geophysics., 177 , 4423–4442. https://doi.org/10.1007/s00024-020-02471-7

Li, B. V., Jenkins, C, N., Xu, W., (2022). Strategic protection of landslide vulnerable mountains for biodiversity conservation under land-cover and climate change impacts. In Proceedings of the national academy of sciences united states of America. 119(2).

Mishra, Anoop, & Kumar., Nagaraju, V., Rafiq, Mohammd., Chandra, Sagarika. (2018). Evidence of links between regional climate change and precipitation extremes over India. Royal Meteorological Society., 74 (6), 218–221. https://doi.org/10.1002/wea.3259

Mittermeier, R. A., Myers, N., Mittermeier, C. G., Robles, G, P., (1999). Hotspots: earth’s biologically richest and most endangered terrestrial ecoregions. In Conservation international.

Oeba, V. O., & Larwanou, M. (2017). Forestry and resilience to climate change: a synthesis on application of forest-based adaptation strategies to reduce vulnerability among communities in sub-Saharan Africa (pp. 153–168). Cham: Climate Change Adaptation in Africa Springer.

Google Scholar

Oomen, V. O., (2014). Understanding report of the western ghats ecologically expert panel, Kerala perspective. In Kerala state biodiversity board.

Panagos, Panos, Borrelli, Pasquale, Matthews, Francis, Liakos, Leonidas, Bezak, Nejc, Diodato, Nazzareno, & Ballabio, Cristiano. (2022). Global rainfall erosivity projections for 2050 and 2070. Journal of Hydrology, 610

Paramesh, V., Kumar, P., Shamim, M., Ravisankar, N., Arunachalam, V., Nath, A. J., Mayekar, T., Singh, R., Prusty, A. K., Rajkumar, R. S., Panwar, A. S., Reddy, V. K., Pramanik, M., Das, A., Manohara, K. K., Babu, S., & Kashyap, P. (2022). Integrated farming systems as an adaptation strategy to climate change: case studies from diverse agro-climatic zones of India. Sustainability, 14 (18), 11629. https://doi.org/10.3390/su141811629

Pramanik, M., Chowdhury, K., Rana, M. J., Bisht, P., Pal, R., Szabo, S., Pal, I., Behera, B., Liang, Q., Padmadas, S. S., & Udmale, P. (2022a). Climatic influence on the magnitude of COVID-19 outbreak: A stochastic model-based global analysis. International Journal of Environmental Health Research, 32 (5), 1095–1110. https://doi.org/10.1080/09603123.2020.1831446

Pramanik, M., Diwakar, A. K., Dash, P., Szabo, S., & Pal, I. (2021a). Conservation planning of cash crops species (Garcinia gummi-gutta) under current and future climate in the Western Ghats, India. Environment, Development and Sustainability, 23 (4), 5345–5370. https://doi.org/10.1007/s10668-020-00819-6

Pramanik, M., Paudel, U., Mondal, B., Chakraborti, S., & Deb, P. (2018). Predicting climate change impacts on the distribution of the threatened Garcinia indica in the Western Ghats, India. Climate Risk Management, 19 , 94–105. https://doi.org/10.1016/j.crm.2017.11.002

Pramanik, M., Szabo, S., Pal, I., Udmale, P., O’Connor, J., Sanyal, M., Roy, S., & Sebesvari, Z. (2021). Twin disasters: tracking COVID-19 and cyclone Amphan’s impacts on SDGs in the Indian Sundarbans. Environment: science and policy for sustainable development, 63 (4), 20–30. https://doi.org/10.1080/00139157.2021.1924575

Pramanik, M., Szabo, S., Pal, I., Udmale, P., Pongsiri, M., & Chilton, S. (2022b). Population health risks in multi-hazard environments: action needed in the cyclone amphan and COVID-19–hit sundarbans region. India. Climate and Development, 14 (2), 99–104.

Qasim, M., Khan, M., & Rashid, W. (2023). Spatial and temporal analyses of land use changes with special focus on seasonal variation in snow cover in district Chitral; a Hindu Kush mountain region of Pakistan. Remote Sensing Applications: Society and Environment., 29 , 100902. https://doi.org/10.1016/j.rsase.2022.100902

Raj, R., & Sofi, A. A. (2023). Does climate change leads to severe household-level vulnerability? Evidence from the Western Ghats of Kerala. India. Land Use Policy, 130 , 106655.

Reddy, K. V., Paramesh, V., Arunachalam, V., Das, B., Ramasundaram, P., Pramanik, M., Sridhara, S., Reddy, D. D., Alataway, A., Dewidar, A. Z., & Mattar, M. A. (2022). Farmers’ perception and efficacy of adaptation decisions to climate change. Agronomy, 12 (5), 1023. https://doi.org/10.3390/agronomy12051023

Roxy, M. K., Ghosh, S., Pathak, A., Athulya, R., Mujumdar, M., Murtugudde, R., Terray, P., & Rajeevan, M. (2017). A threefold rise in widespread extreme rain events over central India. Nature Communications., 8 (1), 708. https://doi.org/10.1038/s41467-017-00744-9

Samui, S., & Sethi, N. (2022). Social vulnerability assessment of glacial lake outburst flood in a northeastern state in India. International Journal of Disaster Risk Reduction., 74 , 102907. https://doi.org/10.1016/j.ijdrr.2022.102907

Sharma, J., Upgupta, S., Kumar, R., Chaturvedi, R. K., Bala, G., & Ravindranath, N. H. (2015). Assessment of inherent vulnerability of forests at landscape level: a case study from western ghats in India. Mitigation and Adaptation Strategies for Global Change., 22 (1), 29–44.

Sreenath, A. V., Abhilash, S., Vijayakumar, P., & Mapes, B. E. (2022). West coast India’s rainfall is becoming more convective. npj Climate and Atmospheric Science . https://doi.org/10.1038/s41612-022-00258-2

Sultana, N., & Tan, S. (2021). Landslide mitigation strategies in southeast Bangladesh: lessons learned from the institutional responses. International Journal of Disaster Risk Reduction., 62 , 102402. https://doi.org/10.1016/j.ijdrr.2021.102402

Tiwari, P., & Shukla, J. (2022). Post-disaster reconstruction, well-being and sustainable development goals: a conceptual framework. Environment and Urbanization Asia., 13 (2), 323–332. https://doi.org/10.1177/09754253221130405

Upadhyaya, A., & RaiKumar, A. K. P. (2022). Anomalous rainfall trends in the north-western Indian Himalayan region (NW-IHR). Theoretical and Applied Climatology., 151 (1–2), 253–272.

Vijaykumar, P., Abhilash, S., Sreenath, A. V., Athira, U. N., Mohanakumar, K., Mapes, B. E., Chakrapani, B., Sahai, A. K., Niyas, T. N., & Sreejith, O. P. (2021). Kerala floods in consecutive years - its association with mesoscale cloudburst and structural changes in monsoon clouds over the west coast of India. Weather and Climate Extremes., 33 , 100339. https://doi.org/10.1016/j.wace.2021.100339

Wang, Y., Xie, X., Shi, J., Zhu, B., Jiang, F., Chen, Y., & Liu, Y. (2022). Accelerated hydrological cycle on the Tibetan Plateau evidenced by ensemble modelling of long-term water budgets. Journal of Hydrology., 615 , 128710. https://doi.org/10.1016/j.jhydrol.2022.128710

Yaduvanshi, A., Nkemelang, T., Bendapudi, R., & New, M. (2021). Temperature and rainfall extremes change under current and future global warming levels across Indian climate zones. Weather and Climate Extremes., 31 (2021), 100291.

Younus, M. A. F. (2016). Adapting to climate change in the coastal regions of Bangladesh: proposal for the formation of community-based adaptation committees. Environmental Hazards., 16 (1), 21–49. https://doi.org/10.1080/17477891.2016.1211984

Download references

Acknowledgements

The authors would like to express their gratitude to the following persons for their wholehearted cooperation and suggestions, without which this study would not have been realized: Sheeba George IAS—Idukki District Collector, Dr. Sekhar Lukose Kuriakose—Member Secretary, Kerala State Disaster Management Authority, Pradeep G.S—Hazard and Risk Analyst, Kerala State Disaster Management Authority, Rajeev T.R—Hazard and Risk Analyst, Idukki District, Government officials of Idukki taluk revenue office, Government officials and representatives of concerned village panchayats, and the residents of the concerned villages.

This work is part of the Ph.D. No funds have been received for this study.

Author information

Authors and affiliations.

Department of Economics, School of Humanities and Social Sciences, JAIN (Deemed-to-be University), Bengaluru, India

Renjith Raj

Department of Economics and Finance, Birla Institute of Technology and Science, Pilani, KK Birla Goa Campus, Sancoale, India

Arfat Ahmad Sofi

You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Renjith Raj .

Ethics declarations

Conflict of interest.

The authors do not have any conflict of interest to disclose.

Additional information

Publisher's note.

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Landslide Prone Regions in Kerala Source: Achu et al., 2024

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Raj, R., Sofi, A.A. An enquiry into rehabilitation as a climate change adaptation policy: the case of the Western Ghats of Kerala, India. GeoJournal 89 , 201 (2024). https://doi.org/10.1007/s10708-024-11198-0

Download citation

Accepted : 15 August 2024

Published : 29 August 2024

DOI : https://doi.org/10.1007/s10708-024-11198-0

Share this article

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Climate change
Climatic hazards
Rehabilitation policy
The western ghats
Find a journal
Publish with us
Track your research

COMMENTS

The biggest data breaches in India
Impact: 1 million credit card records and 180 million pizza preferences. Details: 180 million Domino's India pizza orders are up for sale on the dark web, according to Alon Gal, CTO of cyber ...
Aadhaar details of 81.5 cr people leaked in India's 'biggest' data breach
By HT News Desk, New Delhi. Oct 31, 2023 12:23 PM IST. The hacker claims to have extracted the information from the Covid-19 test details of the citizens registered with ICMR. In what is being ...
How the personal data of 815 million Indians got breached
Data leak of 815 million Indian citizens' PII on dark web. Threat actors selling data sourced from ICMR, UIDAI. Govt. investigating, CERT-In reviewing security infrastructure. Users advised to ...
81.5 crore Indians' personal data leaked, claims hacker
In what could possibly be the largest data breach in India's history, sensitive personal data of 81.5 crore Indians has leaked and surfaced on the dark web. The data has been leaked from the database of the Indian Council of Medical Research (ICMR). However, the epicentre of the leak is still unknown.
ICMR data breach exposes details of 81.5 crore Indians: What you need
TNM Staff. Published on : 31 Oct 2023, 10:17 am. Personal information of 815 million (81.5 crore) Indian citizens has been compromised, when their Aadhar and passport details, names, phone numbers ...
Behind the Curtain: Decrypting India's Massive Telecom Data Breach
Conclusion: The data breach involving 750 million Indian mobile users underscores the imperative for robust cybersecurity practices within the telecom sector. This case study underscores the ...
Major Cybersecurity Data Breaches in 2023
The year 2023 also witnessed some major breaches in data security in India. Early in the year, train ticketing platform RailYatri confirmed that it suffered a data breach in December 2022, shortly ...
data breach: Aadhaar data leak
In what could be one of the biggest data breaches in Indian history, details of over 81.5 crore Indian citizens are on sale on the dark web, US-based cybersecurity firm Resecurity reported. The data sets on sale contain crucial information such as Aadhaar and passport details, along with names, phone numbers, and addresses, according to the report.
ICMR Data Leak Exposes 81.5M Indians' Personal Information
In what could potentially be the largest data breach in India's history, sensitive details of 81.5 million Indians have surfaced on the dark web as per reports. One of the most concerning aspects of this breach is that the epicenter of the leakage has not been pinpointed. The ICMR has been under cyber-attacks since February, with over 6,000 ...
Air India cyber-attack: Data of millions of customers compromised
India's national airline Air India has said a cyber-attack on its data servers affected about 4.5 million customers around the world. The breach was first reported to the company in February ...
Data of 81.5 crore Indians dumped on dark web
What is being touted as the biggest data breach case in India so far, the details of as many as 81.5 crore Indian citizens that were with the Indian Council of Medical Research have been put up on sale, according to a media report.The report says that the threat actor with a social media handle on X (formerly Twitter), advertised the data dump on one of the breached forums on the dark web.
IBM Report: Average cost of a data breach in India touched INR 179
INDIA, Bengaluru, July 25, 2023 -- IBM (NYSE: IBM) Security today released its annual Cost of a Data Breach Report, 1 showing the average cost of a data breach in India reached INR 179 million in 2023 - an all-time high for the report and almost a 28% increase since 2020. Detection and escalation costs jumped 45% over this same time frame, representing the highest portion of breach costs ...
Air India Data Breach: Hackers Access Personal Details Of 4.5 ...
NurPhoto via Getty Images. Air India has admitted to a massive data breach that compromised the personal data of about 4.5 million passengers. The breach, confirmation of which comes two months ...
Explained
In December, in a separate security breach, an Iranian hacker claimed to be in possession of data from the CoWIN database. Both the reports of the data leak were rubbished by the Ministry of ...
What we know and don't know about the alleged Aadhaar data leak
According to the seller, the leaked data included sensitive information such as names, fathers' names, phone numbers, passport numbers, Aadhaar numbers, ages, genders, addresses, districts, pincodes, states, and towns. Resecurity, a cybersecurity firm, analyzed the sample dataset of 1 lakh entries shared by the seller.
Data breaches in India
Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. [1] [2] With over 690 million internet subscribers [3] and growing, India has increasingly seen a rise in data breaches both in the private and public sector.[4] [5] This is a list of some of the biggest data breaches in the country.
Durex India protection fails, customer data left exposed
A big data breach has affected Durex India, the regional division of the well-known British condom and personal lubricant business. Sensitive consumer data was exposed due to the hack, which presents major privacy and security issues. The hack, which exposed personal data including users' complete names, phone numbers, email addresses ...
Alleged HDFC Bank subsidiary data breach: The inside story
Here are some insights into the alleged breach, brought to you exclusively by ETCIO. On March 6, 2023, a Dark Web monitoring company identified a post on BreachForums, where the threat actor ...
Air India data breach explained: Who is affected by the cyber attack?
In March, Air India had said that SITA had flagged a cyber-attack it was subjected to in the last week of February and said it led to the leak of personal data of some of the airline's passengers. In its notification to the affected passengers, the airline said that the cyber-attack that compromised the data of millions of passengers from ...
Domino's Pizza India Data Breach: name, address, other details of over
The data breach, first spotted by Internet Security Researcher Rajshekhar Rajaharia (@rajaharia) includes 130TB of employee data files and customer details. The attackers who are responsible for the breach, also created a webpage on the dark web that pulls the data for any of the leaked order details simply by searching for a phone number or an ...
Over 60% companies in India follow problematic data practices: Study
On data breaches, the study found that more than half of the organisations (52 per cent) were victims of a data breach in the last five years. Among key concerns, consent and data principal access request management, visibility of personal data, data retention and disposal, breach response, and cross-border transfer of data were some of the ...
Case study on data breach scandal of Byjus
The data include everything from Email, Address, Age, chats, mobile number etc. Most of the data was of Whitehat Junior, newly acquired by Byjus. Now one of the servers was unprotected without any security encryption or password and open to anyone to copy the data. More than 20 thousand user's data was breached.
Aadhar Breach
Abstract. This paper explores the Aadhaar data breach and the laws violated by the UIDAI and the other third parties to compromise the personal information of 1.1 billion enrolled Aadhaar users. It investigates the history of the Aadhaar database breach and how the third parties leaked the information, software patch in the Aadhaar database ...
Top 10 operational impacts of India's DPDPA
While the 2018 framework enumerates the obligations of data fiduciaries in the case of a personal data breach in finer detail, the DPDPA outlines the broad contours of the obligations within just two provisions under Section 8. ... The DPDPA's scope extends to the processing of digital personal data outside India in cases when the processing ...
CASE fined SG$20,000 for personal data breach
The Consumers Association of Singapore (CASE) has been fined SG$20,000 for breaching protection and accountability obligations. The Personal Data Protection Commission (PDPC) published a judgement ...
Comprehensive assessment of current municipal solid waste ...
Chennai city has implemented numerous strategies and plans to effectively manage the municipal solid waste by the municipal corporation. One of the prime strategy is the establishment of public-private partnership schemes, which play a crucial role in enhancing waste management practices. This case study focus to assess the conservancy operations carried out by multiple stakeholders in order ...
An enquiry into rehabilitation as a climate change ...
During the data collection period for this study, many families suffered from unemployment and a fall in income due to COVID-19 and related lockdowns. ... G., & Ravindranath, N. H. (2015). Assessment of inherent vulnerability of forests at landscape level: a case study from western ghats in India. Mitigation and Adaptation Strategies for Global ...

Our Network

The biggest data breaches in India

Air India data breach highlights third-party risk

CAT burglar strikes again: 190,000 applicants’ details leaked to dark web

Hacker delivers 180 million Domino’s India pizza orders to dark web

Trading platform Upstox resets passwords after breach report

Police exam database with information on 500,000 candidates goes up for sale

COVID-19 test results of Indian patients leaked online

User data from Juspay for sale on dark web

BigBasket user data for sale online

Unacademy learns lesson about security

Hackers steal healthcare records of 6.8 million Indian citizens

Local search provider JustDial exposes data of 10 crore users

SBI data breach leaks account details of millions of customers

Related content

More from this author

LLMs fueling a “genAI criminal revolution” according to Netcraft report

Ransomware feared in the cyberattack on US oil services giant

CSO Executive Sessions: Guardians of the Games - How to keep the Olympics and other major events cyber safe

CSO Executive Session India with Dr Susil Kumar Meher, Head Health IT, AIIMS (New Delhi)

CSO Executive Session India with Charanjit Bhatia, Head of Cybersecurity, COE, Bata Brands

Cybersecurity Insights for Tech Leaders: Addressing Dynamic Threats and AI Risks with Resilience

Aadhaar details of 81.5 cr people leaked in India's ‘biggest’ data breach

What happened?

What information has been leaked?

Remedial measures

ICMR data breach exposes details of 81.5 crore Indians: What you need to know

Related Stories

ICMR Data Leak Exposes 81.5M Indians’ Personal Information

Tasmia Ansari

Top Editorial Picks

Subscribe to The Belamy: Our Weekly Newsletter

We use cookies to ensure best experience for you

All Comments

Find this Comment Offensive?

Join the community of 2M+ industry professionals

Announcements

Release Categories

Additional Assets

More From Forbes

Trump Vs. Harris 2024 Polls: Harris Leads By More Than 5 Points In Latest Survey

Explained | What does the alleged CoWIN data leak reveal? Premium

What does the CoWIN portal track?

What is the background to the data breach?

How did the Telegram bot get access to CoWIN-related data?

What is the larger picture?

Related Topics

Top News Today

Download App

What we know and don't know about the alleged Aadhaar data leak

Durex India protection fails, customer data left exposed

You might also like

Scope and Severity of the Data Breach

Potential Impact on Customers

Reputational Damage and Loss of Trust

Legal and Regulatory Ramifications

How to Trademark a Name

Recommended For You

Sawhney Automobiles, 8 Employees & ₹4,000 Crore: IPO That Shocked India

Related News

HDO Box App on PC (Windows 11/10/8.1 & Mac) with Nox player

How to Delete All Emails on Gmail

Water-Fueled Cars: A Revolutionary Breakthrough or Elaborate Hoax?

How To Beat Riddle School 5

What Is The California AI Regulation Bill SB 1047: Everything You Need to Know About It

Amazon CEO Andy Jassy Says Gen AI Saved $260 Million and 4,500 Developer Years

Advertise With Us

Welcome Back!

Create New Account!

Retrieve your password

Are you sure want to unlock this post?

We use cookies to ensure best experience for you

All Comments

Find this Comment Offensive?

Join the community of 2M+ industry professionals

Over 60% companies in India follow problematic data practices: Study

Listen to This Article

Vadhvan Port in Maha to generate 1.2 mn jobs for youth, women: Sonowal

Pharma's bitter pill: Falling API prices signal predatory play by China

Trai extends mandatory whitelisting deadline by a month to October 1