New Delhi (Sputnik): News reports of a recent data breach of American Express (Amex) credit card customer information, which was discovered by Hacken.io director of cyber risk research Bob Diachenko, unleashed panic in India. The database remained accessible to anyone on the internet for five days in October via an unsecured MongoDB server before Diachenko stumbled upon it. Sputnik spoke to Sanjay Kaushik, managing director of data security and cyber forensics at Netrika consulting firm, who is of the opinion that the case highlights how organisations can leave critical corporate and user data exposed, and serves as a reminder to implement robust security measures.
Sputnik: What does the leakage of data of 70,0000 Amex India customers mean in terms of data security?
Sputnik: What are the potential damages that this data breach might have caused? What options do customers have when they share personal data with entities, trusting that it will be kept safe?
Sanjay Kaushik: Such data exposure may or may not have a direct financial impact but it can affect one's brand identity and customer confidence, which is key for any organisation to maintain its competitive edge. There is an immediate need for enactment/regulation of encryption of data, otherwise such breaches will continue to happen.
Data Security is a big problem in India and the way we see it, it is only going to grow. In 2016, around 3.2 million debit cards were compromised: from State Bank of India, HDFC Bank, ICICI Bank, YES Bank, and Axis Bank. Recently, cyber-criminals hacked the systems of Pune-based Cooperative Bank Ltd. and siphoned off a whopping Rs 944.2 million. The criminals stole the money and transferred it to foreign and domestic bank accounts across 28 countries over the weekend.
Recently, we released a report on cyber-security which revealed that 53% of Indian businesses don't know whom to contact in case they experience a data breach/cyber-attack. About 62% of organisations (withstood) an IT breach in the form of a virus attack, malware, phishing, or ransomware while only 32% said they did not suffer any breach in the past 12 months.
Sanjay Kaushik: There are several steps one can take in a situation like this. One option is to enable access control and enforce authentication and configure/enforce role-based access control. Second is to encrypt and protect data. Third is to limit network exposure and allow only trusted clients to access network interfaces and ports on which the database is available. Other measures could be to conduct a vulnerability assessment and configuration audits from time to time, monitor for any activity that deviates from authorised activity, and immediate real-time response to any abnormal or suspicious behaviour to minimise the risk of attack. Last but not the least, is to employ database forensics after an incident has taken place to determine the scope of the breach and to identify appropriate changes to systems and processes.
Sputnik: How do you see the future in terms of data security against the backdrop of such incidents?
Sanjay Kaushik: It is clear from such incidents that a cyber-attack does not necessarily imply a sophisticated attack strategy adopted by criminals. Cyber-attacks can be carried out by simple techniques, by exploiting a common or known vulnerability left open/unpatched due to inadequate enforcement of basic hygiene in IT Security. Cyber-attacks are inevitable and companies have no option but to prepare themselves to respond to the attacks appropriately. It is high time we should realise that when it comes to cyber-security, complacency is our biggest enemy. Today there is hyper-awareness surrounding cyber security but still, we have been hearing breaches and their effects on our organisations and thereby the country's economy.
We should be moving from passive approaches towards cyber security to more active approaches of threat hunting, knowing our enemy, or go one step ahead towards thinking like criminals if we've got to really match up with them.
Sputnik: What should be the role of the Government? What are your thoughts on data localisation plans by the RBI and the Indian government? How far do you think this will be helpful?
Sanjay Kaushik: Unless India has a data protection law and demonstrates robust enforcement of that law, it's difficult to see how storing user data in India would be useful.
Rather than creating a new law, emphasis should be on implementing a legal framework for surveillance with appropriate protections for users' data. This enforcement to mandate the storage of data locally may really become taxing for companies who aspire to go beyond Indian boundaries for business expansion.
This will cost them additional dollars to maintain the legal and technical regimes of multiple jurisdictions, which will impose an additional burden on several start-ups.
The views and opinions expressed by the speaker do not necessarily reflect those of Sputnik.