WhatsApp Snooping Case | Lessons to learn from this data breach

Representative Image

The recent WhatsApp data breach brought about the vulnerabilities of consumer apps and solutions to the fore, yet again. Data leaks and breaches are possible in every app, especially consumer apps. Popular messaging apps such as WhatsApp, which are used by hundreds of millions of users, are popular target for hackers. Apps with a smaller use base are seldom targeted by hackers, though they are equally vulnerable.

Technically, a 100 per cent secure messaging app is a myth. With data passing through both the apps’ and telecom service providers’ enterprise networks, there exist multiple opportunities with varying degrees of security to tap in and access data. The production of data in 2020 is expected to be 44 times as it was in 2019, and over 70 per cent of digital data is expected to be generated by individual users — the remaining 30 by enterprises. Over one-third of data is expected to be hosted on the cloud in 2020. All this require robust security protocols at all levels, devices and platforms.

It’s important to understand the common types of data breaches: Ransomware, Malware, Phishing, and Denial-of-Service (DoS). Ransomware is a malicious software which gains access and locks down access to vital data. These attacks most commonly target businesses. Files and/or systems are locked down and a certain fee is demanded for their release/access. Malware is a software designed to harm computer files and/or systems. Ironically, malware often masquerades as a warning against malicious software in an attempt to convince users to download the very types of software mentioned in the ‘warning’ message.

Phishing occurs when someone or something mimics a trusted, reputable entity in order to collect sensitive data (often banking or highly personal details). These attacks are not exclusive to the Internet. Common methods for phishing scams can include a pop-up on the browser, an email with a link or a person on the phone claiming to be a representative of a reputable company. A DoS breach essentially takes away access to websites and webpages. When this happens at large scale, it’s known as a distributed denial-of-service (DDoS).

However, the recent case of WhatsApp data leak targeting specific citizens (mostly journalists and activists) is a case of vested interests attacking for the purpose of spying. These kind of data breaches require strong State-level diplomatic and policy-based security.

In India, such targeted data breaches and attacks are rare and unprecedented. Other countries such as South Korea, Japan and China have penalties for companies (mostly in financial sector) that are not able to protect their users’ data. Countries such as the United States and China regularly prosecute and convict individual hackers for data breaches. However, there have not been any successful cases of companies being prosecuted for releasing spyware on targeted individuals, as in the case of the current WhatsApp data leaks of specific citizens by the Israeli company NSO Group’s spyware called Pegasus.

The Indian government at a policy and regulatory level is taking steps to safeguard its citizens’ rights and their digital data. The draft Data Protection Bill 2018 submitted by a 10-member committee to the government on July 27, 2018, is a great start in the right direction towards data privacy and regulation in India. The very first line of India’s Data Protection Bill — ‘Data privacy is a fundamental right of every citizen’ — sets the context and empowers the individual. The Bill goes on to charter a well thought-out framework, covering exhaustive touchpoints. Apart from this, The Data Localization Mandate by the government is a step closer to hold companies responsible and accountable for Indian citizens’ data.

Going forward, with the advances in quantum computing and it becoming mainstream, none of the existing data security protocols will be resilient to hacks using this technology. We are witnessing some quantum security solutions and protocols, but that industry is yet to hit an inflection point. The safeguarding of citizens’ data needs to be both a combination of technology and policy-based solution. They need to be continuously updated as the data breach methodologies keep evolving.

Jayanth Kolla, Partner, Convergence Catalyst, Views are personal.