IFF’s cybersecurity report for the second quarter of 2024

tl;dr 

Recent data breaches and leaks have underscored the widespread impact on the data security of millions of users. Grave cybersecurity incidents, like the Tamil Nadu Police Facial Recognition Portal breach and the Telangana Police Network data leak, have raised concerns about the detection and response capabilities of India’s cybersecurity authorities. This series will list the various cybersecurity incidents that occurred during a quarter in the country and our actions in response to them. We highlight the need for organisations to prioritise proactive measures, transparency, and public awareness to mitigate risks and foster cyber resilience in an interconnected digital world.

Important documents 

1. Letter to CERT-In on ICICI Bank ‘iMobile’ app data breach dated May 8, 2024 (Link)
2. Letter to CERT-In on Tamil Nadu Police Facial Recognition Portal data leak dated May 15, 2024 (Link)
3. Letter to CERT-In on the Telangana Police Network data breach dated June 21, 2024 (Link)
4. Letter to the Telangana government regarding the Telangana Police Network data breach dated June 21, 2024 (Link)
5. Letter to CERT-In on Dropbox data leak dated May 23, 2024 (Link)
6. PlugTheBreach (Link)

The grim state of cybersecurity in India

The urgent need to operationalise the Digital Personal Data Protection Act (“DPDPA”), 2023 is underscored by the increasingly pervasive threats to individuals’ digital privacy and security. As technology advances, so do the methods and scale of cyberattacks, leaving individuals and organisations vulnerable to data breaches, identity theft, and surveillance. A comprehensive, robust, and rights-respecting data protection legislation is essential to establish clear guidelines, regulations, and enforcement mechanisms to safeguard personal information, ensure transparency in data handling practices, and hold entities accountable for any lapses in cybersecurity protocols. The inadequacies of the DPDPA, 2023 in safeguarding data privacy and empowering data principals in the event of a breach as well as the current grim state of cybersecurity in the country reveal concerning gaps and vulnerabilities. Despite efforts to bolster cybersecurity measures, including establishing dedicated agencies and initiatives, challenges such as insufficient resources, outdated infrastructure, and a shortage of skilled professionals persist. The exemption of the Indian Computer Emergency Response Team (“CERT-In”) in 2023 from the Right to Information (“RTI”) Act, 2005 raises serious concerns about the accountability of an organisation whose actions or inaction is consequential for the status of cyber security and individual privacy in the country. This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them.

Data breaches and vulnerabilities in 2024 Q2

1. Data breach of ICICI Bank ‘iMobile’ app: ICICI Bank reportedly blocked 17,000 credit cards after a technical glitch in its mobile banking application, ‘iMobile Pay’, following user complaints about customer card details being visible to other users. The breach was initially flagged on a financial forum called Technofino, where details of users including Card Verification Values, full card numbers, and card expiry dates were shared. Following this, an ICICI Bank spokesperson acknowledged the breach to Mint and stated that “the glitch was due to “erroneously mapped” data of 17,000 new credit cards in their digital channels.” We wrote a letter to CERT-In, the nodal authority assigned to overlook data breaches, bringing this breach to their notice and highlighting that such a glitch in the mobile banking app puts the customer at risk of financial loss as well as data theft. 

2. Data Breach of the Tamil Nadu Police Facial Recognition Portal: A significant data breach reportedly affected the Tamil Nadu Police Facial Recognition Portal (“TNP-FRP”) which contained a large volume of facial biometric data collected through facial recognition software used by the state police to track criminals and missing persons. The breach of the FRP was reported on the social media platform X (formerly Twitter) by Falconfeeds.io, which said data samples from the TNP-FRP have been put on sale for $2 to $3 on the dark web. A group named ‘Valerie’ claimed responsibility for the breach. As per reports, a file comprising 55,000 lines of data regarding details of police officials, including IPS officers, a second file with 8.9 lakh lines of FIR data and another with 2,700 lines of data on police stations were compromised. The breach was communicated to the Electronics Corporation of Tamil Nadu, Tamil Nadu E-Governance Agency, and CDAC-Kolkata for necessary action and a complaint was also filed with the cyber-crime wing. Read our letter to CERT-In here. Read our post explaining the data breach and how facial recognition systems need to be banned due to lack of adequate safeguards under Indian law.
3. Data Breach(es) of the Telangana Police Network: From May 29 to June 7, 2024, three significant data breaches were suffered by the Telangana Police Network. On May 29, the citizen-facing ‘community policing’ mobile application ‘HawkEye’ reportedly suffered a data breach where thousands of emails and phone numbers, 1.30 lakh SOS records, 70,000 incident reports, 20,000 travel detail records (and as per some reports, location coordinates) were allegedly exposed and posted on data leak site BreachForums.

On June 7, the network was hit by a second breach, this time on Telangana police’s TSCOP App—which uses an integrated facial-recognition system to help police officers access crime and criminal databases and match images of people taken during patrols. Exposed information reportedly includes offender records, police gun licences, police officer names, designations, and pictures, and police station affiliations. The same day, the Telangana police SMS service, which is a gateway for police officers to send SMS updates and awareness messages to Telangana residents, was reportedly breached. This exposed police alerts and important notices, which included police personnel’s personal data and contact information. All three breaches were reportedly carried out by the same threat actor ‘Adm1nFr1end’. 

Police officials stated there “could be a tech lapse” in the TSCOP App resulting in the data leak, but no additional details have been furnished. Additionally, as of 12 PM on June 21, 2024, the TSCOP website displayed a temporary shutdown of service. The Android TSCOP App was also down. Such a temporary shutdown would have been warranted to initiate an investigation and curb the damage of the multiple data breaches. A month after the data breach, the TSCOP website was live again and open for public use. We wrote a letter to CERT-In and the Telangana government highlighting the inadequate cybersecurity measures being taken by the Telangana police and raising our concerns about the police’s data collection, storage, and sharing practices, prompting investigations and calls for transparency. Read our post decoding the three data breaches and what it means for individual privacy, as well as the state police force’s inadequate response to the data breaches.

4. Dropbox data leak: A significant data breach was reportedly suffered by Dropbox, a file hosting service, that exposed customer details. The unidentified threat actor accessed customer information such as emails, usernames, phone numbers, and hashed passwords as well as general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. The breach also affected users who never created an account but received or signed a document through Dropbox Sign, specifically exposing their names and email addresses. In response to the breach, the Dropbox security team “reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is coordinating the rotation of all API keys and OAuth tokens”. Read our letter to CERT-In here. 

PlugTheBreach: IFF’s data breach tracker

You can find a list of all the non-exhaustive data breaches in the country since 2020 on a publicly accessible database, PlugTheBreach, a small-scale IFF initiative aimed at covering, reporting, and tracking data breaches in India to increase transparency and public awareness. 

Conclusion 

The multitude of recent data breaches and leaks underscores the critical importance of robust cybersecurity measures in today’s digital landscape. From breaches compromising sensitive defence personnel information to vulnerabilities in major databases and platforms, these incidents highlight the pervasive risks individuals and organisations face. 

In these challenges, organisations must prioritise proactive cybersecurity measures, including regular audits, robust encryption protocols, and swift incident response procedures. Moreover, there’s an urgent need for greater transparency and accountability in handling data breaches, as seen in cases where affected companies failed to acknowledge or adequately address the breaches promptly. 

Public awareness and education on cybersecurity best practices also play a vital role in mitigating risks and fostering a culture of cyber resilience. Thus, as we navigate an increasingly interconnected digital world, we must remain vigilant and proactive in safeguarding our digital assets and protecting user privacy.