Over 6,000 businesses in India have been reportedly breached by an unknown cyber criminal. The enterprise arm of IT security firm Quick Heal, Seqrite claimed they spotted over 6,000 sensitive information of organizations including service providers, banks and government put up on the Darknet for sale.
According to the information, the nation’s internet registry was also hit by the attack, but the organization says the information obtained was trivial.
The National Internet Exchange of India (NIXI) released a statement condemning the notice as announced by the Darknet hacker. The NIXI clarified that there was no serious breach of the Indian registry database. “There has been no serious security breach of its IRINN system, as it has a robust security protocol in place. The hacker has no capacity to cause any damage or initiate distributed denial of service to any entity who has been allocated Internet resources through IRINN System,” said a NIXI spokesperson.
In a statement issued to the media by the NIXI, they said: “There was an attempt to penetrate the system and hackers were able to collect some basic profile information of the contact persons of some of the affiliates which were displayed by him on the darknet.”
The statement continues to read that: “existing security protocol of NIXI is robust and capable of countering such attacks. However, following this breach, security protocol has been further strengthened and review of existing infrastructure has also been initiated.”
The breached data spotted on the Darknet has been priced at 15 Bitcoins. Senior Director, Cyber Education, and Services at Quick Heal, Rohit Srivastwa, said to reporters that the government authorities have been alerted: “We have alerted the government authorities well within time. If someone gets control over this massive data that is currently up for sale on the Darknet, the above-mentioned organizations and enterprises can get affected.”
The Seqrite has also informed the various government agencies to report any suspicion and potentially threatened organizations, or that they should change their passwords and make updates on their security protocols.
India was nearly affected by 3.2 million debit card breaches in 2016 after an attack which was labeled as India’s largest banking system data breach. Around 641 customers lost an amount worth Rs1.3 crore. The loopholes that enabled the attack to be launched in 2016 still seem to exist and have been exploited by the hackers once again. The government provided cyber safety to teens to prevent Darkweb activities, but data breach activities still reign.
Numerous agencies have been put at risk following the breach. The Idea Telecom, Flipkart, Aircel, TCS, ICICI Prudential Mutual Fund, Bombay Stock Exchange and many other Indian organizations have become “sitting ducks” to cyber attacks.
Reports have listed several other government official websites which face the risk of data leaks, and the names on top of the list are Unique Identification Authority of India (UIDAI), Defence Research and Development Organisation (DRDO), Indian Space Research Organisation (ISRO), Reserve Bank of India (RBI), Employees’ Provident Fund Organisation (EPFO), State Bank of India and some other websites not listed.
Is India prepared for Cyber Attacks?
India does not have a strict regulatory enforcement mechanism, and this has raised concerns about the readiness of the country to face data breaches in this era where there has seen the rise in Ransomware attacks. Privacy practitioners, however, do not agree that India is ready for any data protection against cyber attack.
Sunder Krishnan, a Mumbai based chief risk officer, at Reliance Life Insurance Company, believes that if the strict regulatory enforcement mechanism is employed, it will lead to an opportunity loss for India. “If enacted, it will lead to opportunity loss for the Indian IT/BPO industry, as it further increases the threshold for data transfer outside EU/EEA,” he said.
Krishna also said that the inexistence of legal framework makes it difficult for data protection and transparency to be established. “It’s tough, as there is no holistic legal framework/regulator in the form of data protection authority, data quality and proportionality, data transparency, etc., which addresses and covers data protection issues in accordance with the principles of the EU Directive, OECD Guidelines or Safe Harbor Principles.”
With all these factors in existence, the Indian authorities have been a bit skeptical in the implementation of the regulations and it has made it appear that they are not ready for cyber attacks.