Last month, US-based cybersecurity and intelligence firm Resecurity mentioned that a threat actor going by the alias 'pwn0001' posted a thread on breach forums brokering access to 815mn (million) records of Aadhaar and passport details of Indian citizens. Resecurity found one of the leaked samples containing 100,000 records of personally identifiable information (PII) of Indian residents probably submitted for COVID-19 vaccination to the government. In September, cybersecurity company CloudSEK found the official website of the ministry of AYUSH in Jharkhand had been breached, exposing over 320,000 patient records on the dark web. The stolen data holds patient records that include PII and medical diagnoses and also contains sensitive information about doctors, including their PII, login credentials, usernames, passwords, and phone numbers.
These are just two examples of the increasing number of data breaches taking place in cyberspace. While the data breach is not limited to India, the number of hacks or breaches in the healthcare sector remains enormous worldwide. According to the
2023 IBM Cost of Data Breach Report, for the 12th consecutive year, the healthcare industry has the highest data breach costs. In 2022, the healthcare industry paid an average of US$10.10mn for a data breach, 9.4% more than the figure in 2021.
So, why is everybody, including the government, corporates, your local delivery person, or even cybercriminals, after your personal information or data? An even more serious question is what they do with this data and whether the database is stored in a dynamically safe and secure place.
It is no secret that data is the new oil, wealth and property of the owner, whether an individual or a big corporation. Unfortunately, the potential for evolving technologies to record, collate, converge, retrieve, mine, share, profile, sell and otherwise conjure with data has given life to spiralling ambitions around the database.
While for data mongers and sellers, your entire personal information would be just a few numbers, but for you, it is the cost of your existence. Don't believe it? Just imagine how many things you can do, like buying a new SIM or obtaining services like banking with just an Aadhaar. In the hands of the original owner, Aadhaar may appear safe (it is not!), but the moment it leaves your possession, it can quickly go out of control or be easily controlled by the same data mongers. And if someone uses your Aadhaar to procure a mobile SIM or open a bank account and use it for unlawful activities, then after basic tracking and probe, the police will surely land at your doorstep. In such a case, you would end up in the lockup without it being your fault or knowledge. Scary, isn't it? But I am sharing just one of the possibilities of misuse of your personal data (Aadhaar in this case) that has the potential to make any individual redundant.
We share our data (and thus allow its manipulation, including sale and surveillance) with private parties because they promise convenience. The government, on the other hand, forces us to share such data to provide some benefits or protection, irrespective of whether the citizen is seeking it. All this data-grabbing, however, turns the entire society into a 'commodity' meant for buying and selling with wide implications for every individual data-owner.
In this buyer-seller set-up, we witnessed the emergence of an information infrastructure, which the government helps—by financing and facilitating the 'start-up' and by the use of coercion to get people onto the database—which was then handed over to corporate interests after voluntarily making it mandatory for individuals.
Let us move ahead and find out what exactly is a data breach and how it can affect the lives of billions of humans, including you and me.
In purely technical terms, a data breach is a security incident in which an unauthorised party gains access to and potentially exposes or steals sensitive, confidential, or personal information. These breaches can occur in various ways, such as hacking, malware, phishing, physical theft of devices or documents, or other means. The information that can be compromised in a data breach includes personal data, financial information, intellectual property, trade secrets, and more.
Data breaches can have a significant impact on individuals, directly and indirectly. Personal information such as names, addresses, Aadhaar, permanent account number (PAN), email addresses, and even login credentials can be exposed. This can lead to identity theft, phishing attacks and spam.
If financial information, such as credit card numbers or bank account details, is compromised, it can result in unauthorised transactions, fraud and financial losses for the victim.
Data breaches can tarnish an individual's reputation, especially if the exposed data is embarrassing or sensitive. Just search the internet to know how such exposures have finished the public life of several celebrities, politicians and even individuals, especially youngsters.
Dealing with the aftermath of an incident, including a data breach, is a time-consuming and frustrating experience. You need to work tirelessly for a few days to a few years with several authorities, financial institutions and credit reporting agencies to resolve issues related to identity theft and financial fraud. Since it is quite a frustrating experience, a few brave hearts who choose this way also leave it midway. Others simply pretend that nothing has happened. They wake up only when the after-effects of data breach reach their doorsteps.
In 2018,
I interviewed Bruce Schneier, who is called a 'security guru' by The Economist. Responding to my question on how citizens should protect their private data and privacy, he told me that so much of our data is in other peoples' hands. "It is not just government systems like Aadhaar; much of our data is being stored by companies like Google and Facebook. When we give our data to others, we have to trust that they will protect our privacy. So while there are some actions individuals can take to better protect their privacy, the best thing we can all do is agitate for better legal privacy protections."
So, how can anyone protect his/her privacy 24x7?
For things like hacking into your service-providers, email or bank, and data-stockers like the government, there is nothing much you can do except maybe pray. But you can avoid falling prey to a phishing attack by not sharing your details over email. Here are a few tips to protect your digital privacy and security…
1. Protect and safeguard all your personal information such as full name, mobile number, PAN and Aadhaar numbers and banking details, like your life depends on it.
2. Never share your personal information and financial details with anyone, including the government. Effectively use the 'need to know' system and proper verification while sharing data with authentic government agencies or departments.
3. While sharing photocopies for any purpose, make sure you mention the date, time and purpose. For example, if you are sharing a photocopy of your Aadhaar for obtaining a SIM, then while self-verifying (signing) put the date, time and mention 'for buying a new SIM from so and so provider, and submitted to so and so vendor (name of the person and establishment he/she represents). Also, mention that this document is valid only for 30 days or till so and so date. This will help avoid misuse of the document.
4. Use multi-factor authentication (MFA): Cybercriminals love people who are lazy about protecting themselves. This is where MFA comes in handy. The most famous example of MFA is how we use our plastic cards and personal identification numbers (PINs) for transactions. You can add one security layer, like a one-time passcode (OTP). Apart from financial service providers, others like Apple, Google, Microsoft, Amazon, Facebook and X (Twitter) also offer MFA for login.
5. In case your data is hacked or stolen and sold on the internet, you can do nothing except pray. Or raise your voice to demand better legal remedies and more excellent protection for your personal information, privacy and database.
"Global politics will be affected as authoritarianism is easier in a world of total visibility and traceability, while democracy may turn out to be more difficult—many societies are already struggling to balance threats to privacy, trust and autonomy against promises of increased security, efficiency and novelty. Geopolitically, the future may hinge in part on how societies with different values treat new reservoirs of data," the GPRS says.
Stay Alert, Stay Safe!