The past few weeks, the conversation on the web has been around how private information in the form of Aadhaar numbers, account details and PAN numbers of citizens have been floating out on the internet. In some of the leaks, the source was pointing back to some private and government sites themselves which had Excel files with a trove of data sitting on open servers. This is alarming, but the problem is more deep rooted than just Aadhaar, and it’s something that the mainstream media doesn’t cover in depth as well.
Personal Information Leaks
Google and other search engines, in turn, indexed these open files and a simple search leads you to a wealth of information which is still accessible after weeks of this being publicly exposed. Even though UIDAI has added rules in the Aadhaar bill which prohibit the Aadhar number and related biometrics from being published openly, we can see that it’s been blatantly ignored.
It’s not limited to just Aadhar numbers, all kinds of information about us are already leaked from other sources like Banks, Insurance, and Telecom companies and are already out there sold in various databases used by Marketing companies. This month I was porting out one of my SIMs from a telecom provider. Just a day after I sent out a porting request, a competing telecom provider messaged about good offers for joining their network. Coincidence? I think not.
Leaky faucets in Banks?
Data and Card breaches from Banks is another under-reported item here in India. How many of you were recently intimated by one of the “Big” Indian Banks that your debit card details could have been stolen? I’m betting that number will be quite a few. Some of them reissued debit cards, and most others would have sent messages to change your debit card pins. Did you get a reason why that was?
Most banks and institutions right now have no push, or incentive to notify their customers of any breaches on their end – in most cases, they are silently handled and brushed off. Many of these incidents don’t make it to news at all. This is in contrast to countries in Europe and the US where it is mandatory for banks to notify their customers about data breaches.
Do you use Apps on your phone?
There are quite a lot of low quality apps on the App stores which profess to give you a free game or video, while mining your phone for data which is uploaded to servers somewhere in the world. What kind of information can they take? Your contact list, incoming/outgoing calls and messages, your location and a lot more. Always look at what permissions the app asks for an don’t install apps which ask for a large list of permissions if you think that the app shouldn’t ask in the first place. For example, why would a game ask for SMS or Contact list permissions? Use your judgement wisely.
Online Food or Shopping?
There have been many incidents in the past involving breaches of Indian customer information by companies here – Dominos India & Microsoft India. I know for a fact that some of my information was stolen in the last two mentioned breaches because LastPass notified me about these breaches and forced me to change the password to those sites. I wasn’t notified by either company regarding the breach.
In contrast, when Sony Playstation Network was hacked, and information was stolen. Sony had immediately informed my bank and me. After which my credit card was automatically revoked by the bank and a replacement issued without my intervention. When these corporations follow the rules outside of India, what’s preventing them from doing the same here?
Lack of relevant laws!
What about others?
There have been various instances where the information I provided to services has found their way elsewhere. Banks, Telecom, and other services use third party services for debt recovery, so if you defaulted on a phone, mobile or other bills, your information has already found their way out of the system into the hands of third party folks who necessarily do not follow policies. Also, customer information from companies usually ends up getting stolen by competitors since secure information handling of this information is not a priority for most. After all, there are no penalties for “loosing” data.
How do you find the leak?
These days when I fill in application forms for various services: telecom, mutual funds, insurance products, apps and others I end up putting a telltale sign in the signup application which at least will let me know the source of my personal information leaks.
How do I do that? Usually, when asked for an email id, I use a Gmail account where I add additional information to the email. For example, if your email id is firstname.lastname@example.org did you know that sending an email to email@example.com or firstname.lastname@example.org also makes it to your inbox? So if I’m signing in for an insurance policy at Acme Insurance, I would put in +acme to my email id like so email@example.com. The emails still land up to my regular email address firstname.lastname@example.org inbox. This way if anyone else other than Acme sends me an email to that address, I know where the source of the information leak is.
I’m not going to point fingers at any particular organization or mobile app, but the results point to a very deep rooted ignorance on Data Security in India.
What needs to be done?
Our current IT laws are lacking in the data security rules and regulations. None of these organizations are going to suddenly become self-governing and responsible for the customer data they hold. There has to be laws and penalties for companies which don’t have adequate Data Security practices, and they must be held responsible for loosing customer data. There also has to be mandatory rules to inform each, and every customer who’s data is compromised so that they can either keep a look out for suspicious activities in their accounts or take any remedial actions if possible. Customers cannot be left out in the dark.
Recently the government has mandated banks to report any IT breaches to the government. But that still doesn’t place any responsibility on banks to notify their customers. Since this is just for banks, it leaves out the rest of the companies of this notification.
What can I do?
As a consumer, I’d suggest that you don’t give your private information to apps or companies unless you need to. How many of us have filled in our address and contact details at malls where they tempt us with a freebie or a draw to win prices? Would you trust them with your information?
If you are filling a signup form on an app and it asks for information like an address, date of birth, or credit card? I’d be wary of where that information is going. In most apps and websites I stopped filling in my right date of birth because they have no business knowing what the real one is. Follow my email tip from the previous section to find out who’s leaking information and notify them of the problem
What are your thoughts on this or do you have more tips? Let me know by leaving a comment.