Domino's India data leak last week was unlike the series of data breaches Indian users have faced in recent times. The leak had transitioned from the dark web to the easily accessible public internet, putting at risk the data of 18 crore users in the country.
Experts say policy intervention from the government is the need of the hour to protect user data and make companies accountable.
Domino’s data leak
On April 18, Israeli security researcher Alon Gal revealed that credit card data of 1 million customers of Domino’s India had been breached. This was later backed by Rajshekhar Rajaharia, a security researcher in India.
Rajaharia explained the data was hacked in February 2021 and sold to a reseller, who in turn started selling it in April on the dark web. He told Moneycontrol that the leak happened due to the compromise in the Amazon Web Services (AWS) key, similar to what happened in the Mobikwik breach. He said he had alerted CERT-In, a government body set up to ensure cyber security, about the breach on March 5, but got no response.
Late last week, a link was circulated in the dark web, where users can check their information. It was similar to the Mobikwik data leak, where users were able to search for their data using Tor browser in the dark web.
That was hardly new. Last six months have seen a series of attacks on firms such as e-grocery major BigBasket, fintech firms JusPay, Mobikwik, and Upstox, and Air India.
However, what is startling in the latest case was that a similar application was made accessible to a wider audience.
Beyond dark web
On May 22, several users woke up to their data widely available on the internet through the search link (click here) accessible on any browser. This means that anyone with access to the internet can get your details. A person just needs your mobile number or email ID to locate your address at the time of ordering. Moneycontrol has verified this using multiple user data.
This could have severe implications. Imagine, a stranger accessing the location you live in currently and also the past, without your knowledge, along with the amount you had spent on each order, dating back to a few years. One of the data points Moneycontrol verified goes back three years.
If this is not enough, the search link itself is vulnerable, says T Prasad, Chief Information Security Officer, InstaSafe, a cybersecurity platform. He explained that by using SQL injection, a common hacking technique to attack a database and exploit data, potential hackers can get all the 18 crore user information without even knowing the mobile number or email ID.
The company did not respond to Moneycontrol's detailed query on the efforts it has taken to address the breach and scale of its user data that is now available on the web freely.
However, on the search link, its statement read: "Most data contains buyers order, phone numbers, email, which is not much relevant to our future business."
What does it mean for the users?
Users are not happy with the response of Domino's India. Many have demanded accountability from the firm.
But there is not much users can do about information like addresses, email and mobile number that has already been made public. Experts say users can block the cards and get them reissued from banks and reset the passwords, if they have not already done so.
They can also change their passwords as applicable to protect themselves from future breaches.
In an earlier conversation, Safir Anand, Senior Partner & Head of Trademarks, Anand & Anand, said that users can also claim actual damages, if they can establish the leak successfully, under the Consumer Protection (e-commerce) Rules, 2019.
According to Anand, “Considering the current rise in cyber theft in the course of the digital era, it is time that India starts exploring the options of class suit actions.”
However, these are expensive and hence not viable for common man, pointed out an ethical hacker, Vinoth Kumar, in an earlier conversation with Moneycontrol.
Can companies be held accountable?
Technically yes, if it can be established, under the Section 43A of the IT Rules 2011 that has provisions for data protection.
The rule states that whenever a company deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
“A company that fails to protect personal data of its users can be held accountable under Section 43A,” Anand said. Companies can also be held liable for negligence under Section 72A of the Act, where they do not safeguard the personal data collected by them, he pointed out.However so far there has not been any instance where the company was held accountable in India. The only way to protect user data, experts say, is having a personal data protection bill. Karmesh Gupta, co-founder & CEO, WiJungle, a cybersecurity firm, told Moneycontrol earlier, that the need of the hour is the personal data protection bill, which is yet to be implemented.