In the last two months, there were more than half a dozen major breaches globally. India has not seen a single major incident. Too good to be real
Adidas is in headlines for wrong reasons. No, not because two of the serious contenders decorated by it—Germany and Spain—failed to make it to the round of 16 in the ongoing world cup, while all the major contenders wearing jerseys supplied by arch-rival Nike—Brazil, England and France—have made it to the quarter finals.
But that is part of the game. And in any case, overall, Adidas still leads 12-10 and three teams—Russia, Belgium and Sweden—have made it to the quarters.
Adidas’ negative headlines emanates not from the football field but from its information system. The company announced a significant data breach involving customer data of those US customers who purchased from its stores online. The compromised data include name, contact information, user name and encrypted password. Some millions of customers could have been exposed though it is not clear how many records were actually hacked.
Adidas has good company. There are at least half a dozen breaches that consumer companies have announced in last two months alone (the actual breaches may have occurred earlier).
Just a couple of days prior to Adidas announcement, another huge compromise was reported. The compromise at Exactis, a marketing firm involved a database that contained close to 340 million individual records on a publicly accessible server, unprotected by any firewall, according to a report by Wired. The company claims possessing data on 218 million individuals, including 110 million US households. Unlike most such exposures which contain generic data like name, address, email ids, Exactis database contains “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.”
While not many in India—and even in the US—would have heard the name of Exactis, it works for major consumer companies and is primarily a data company.
"It seems like this is a database with pretty much every US citizen in it," Wired reports security researcher Vinny Troia as saying. Troia discovered the expose. At 340 million, it is bigger than last year’s Equifax breach which saw a compromise of 145 million records.
Wired reported that while “the leak doesn't seem to contain credit card information or Social Security numbers, it does go into minute detail for each individual listed, including phone numbers, home addresses, email addresses, and other highly personal characteristics for every name. The categories range from interests and habits to the number, age, and gender of the person's children.”
Just like Exactis, survey firm Typeform has seen a breach that impacts consumer data of many of its clients such as Tasmanian Electoral Commission, British prestige brand Fortnum & Mason, digital bank Monzo, and food maker Birdseye. Some of them have issued alerts to their customers but they are just a fraction of the thousands of customers that Typeform has.
The third party specialized B2B providers seem to be the weak link.
Another such provider, 7.Ai, which is an offshore service provider with huge operations in Bangalore (earlier called 24/7 Customer), saw its tools being infected with malware, which could have impacted hundreds of thousands of shoppers of Delta Airlines, Sears, Kmart and Best buy. Other 7.Ai customers include American Express, AT&T, Citi, eBay, Farmers Insurance and Hilton. Amex and Farmers clarified that they weren't affected by the breach.
The breaches are not restricted to US alone.
In Australia, online health services firm HealthEngine notified last week that a small group of users’ data may have been been improperly accessed via HealthEngine’s Practice Recognition System on its website.
“Due to an error in the way the HealthEngine website operated, hidden patient feedback information within the code of the webpage was improperly accessed. This information is ordinarily not visible to users of the site,” the company said in a statement. More than 59,600 patient feedback entries may have been improperly accessed.
In UK, online ticket booking site Ticketmaster identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. The company, in a statement said, less than 5% of its global customer base has been affected by this incident.
“UK customers who purchased, or attempted to purchase, tickets between February and June 23, 2018 may have been affected, said the company.
There are more. Harvey Norman, an Irish retailer and PageUp, an Australian HR and recruitment firm, also saw similar breaches involving data such as name, contact info of their users and those of employees and referees for PageUp.
Is India better placed?
Despite tall claims by vendors, all the great piece of software and practices have not not been able to curb the massive growth in data breaches.
According to Gemalto’s latest Breach Level Index (2017), more than 4.8 million records are compromised every day. In 2017 alone, 2.6 billion records were stolen, lost or exposed worldwide. This was an 88% jump over the previous year, 2016, even though the number of incidents declined marginally (by 11%).
In India, though, it is rarely that we see reports on major data breaches. Except for the Aadhaar breach, we hardly see media discussing major data breaches.
Is India bucking the trends?
Far from it. According to the same BLI Index by Gemalto, 3.24 million records were stolen, lost or exposed in India in 2017. If that seems a much smaller number—that is less than 0.25% of global records—that is because the number of consumer records online is far less.
But India is catching up. While the global number for data records compromised saw a growth of 88%, in India, that growth was 783% between 2016 and 2017. There were as many as 29 data breaches in the entire year and 58% of them were identity thefts.
Of the 29 data breach incidents in India in 2017, identity theft represented the leading type of data breach, accounting for 58% of all data breaches, the trend being similar to global trends, where 69% of all breaches were identity thefts.
Without strong regulations, companies do not report the breaches and that is the reason behind lack of coverage and public sensitivity. According the Gemalto report, the second largest global breach in 2017 occurred in India.
This involved compromise of 200 million records at the Motor Vehicle Department of Kerala. This could have been a political hot potato. But with little sensitivity about privacy, Indian political parties lack the will and understanding to highlight this.
At a BLI score of 9.9 (only marginally less than the globally infamous Equifax breach which was assigned a score of 10), this was in the same league. Yet, few, even in the security community know about it.
While Europe’s GDPR and UK’s Data Protection regulation may just strengthen the practice of protecting customer data, without people’s awareness and media sensitivity, the forthcoming Indian data protection regulation may not be half as effective.