Recently, WhatsApp confirmed that Israel based company NSO Group used a Spyware to spy on bureaucrats, journalists, activists, lawyers, and various countries globally including India. The popular chatting app has sued the Group alleged to have used the snooping software. WhatsApp has also warned several Indian users of the popular chatting app, who are believed to be the targets of the Spyware. In a blog post, WhatsApp stated, “We sent a special WhatsApp message to approximately 1,400 users that we have reason to believe were impacted by [May 2019] attack to directly inform them about what happened.” However, the exact number of WhatsApp users in India who have been impacted by this snooping episode is not known. It must be noted that India is the biggest market of WhatsApp with 400 million out of 1.5 billion users active in India. This also exposes the Indian users to a greater risk of data breach.
What makes the WhatsApp data breach a huge matter of concern, is the fact that it comes at the heels of reports of debit card and credit card details of 13 lakh Indians going for sale online came up. The reports of such sensitive details being traded on the dark web has created legitimate apprehensions of a major privacy scare for more than a million Indian users. And that too in the form of details related to their financial data. Security Researchers at the Singapore-based Group-IB have stated that the critical details of the Indian debit card and credit holders were being sold at a price of 100 US Dollars per card. The total value of the details that were being traded on the dark web is estimated to be around 130 million US Dollars. These mind-boggling statistics reveal how big a threat, the lack of data security is. Meanwhile, the RBI has asked banks to carry out a preliminary analysis of this matter and re-issue the credit and debit cards if the leaked data is found to be correct and genuine. This is not the first time that shocking reports of risks of financial data breach have come up. In 2016, 3.2 million debit cards of Indian users were compromised. SBI, HDFC Bank, ICICI, YES Bank and Axis Bank were the worst hit. Several victims had even revealed unauthorised data access from locations in China. This episode had also exposed the exorbitant costs of data breach and leakages. SBI, the biggest Public Sector Bank of India, alone had to re-issue six lakh debit cards. According to a report sponsored by tech major IBM, data breaches had cost Indian organisations Rs. 12.8 crore on an average in the time period between July 2018 and April 2019.
It is also pertinent to mention here that WhatsApp is not the only social media giant that has faced such data leakage issues. Last year, Facebook had disclosed that 5.62 lakh Indian users were affected by a major data leak case. Moreover, as per World Economic Forum’s 14th edition of Global Risks Report 2019, India also witnessed world’s largest data leak in 2018 as the government ID database, Aadhaar suffered several data breaches that potentially compromised the records of all 1.1 billion registered citizens.
It is clear that the data security is emerging as a critical issue. With several cases of data breaches and leaks in the recent past, it is also clear that the government must act promptly in order to safeguard the citizens of its data. With even financial data becoming vulnerable, there are significant costs attached to data leaks that does not augur well for India’s ambitions to lead global growth. Moreover, as the Right to Privacy has been recognised a Fundamental Right, it becomes the duty of the State to actively guard this right. The State cannot relinquish its duty of enacting safeguards to protect Citizens’ data. Breach of data is a serious violation of a citizen’s right and when there is violation of a right, there has to be an appropriate and efficacious remedy. A right without a remedy is no right. Therefore, the government must enact a data protection law without any delay.
Last year, the Justice B N Srikrishna Committee submitted its report on data protection to the law ministry. The committee was set up in August last year by the government to scrutinize concerns over data security and prepare a bill which could provide a framework on data protection. Thereafter, the government came out with a draft of the Personal Data Protection Bill, 2018 which aims at ensuring informational privacy as part of the Right to Privacy, a fundamental right. The bill provides to create Data Protection Authority of India, which aims to be an independent regulator on the lines of SEBI and TRAI. It is clear that the government is aware of the data breach scare and its consequences. Now, its all about showing the necessary political will and taking the much awaited step.
