IFF’s cybersecurity report for the Fourth quarter of 2024

tl;dr 

Recent data breaches and leaks have underscored the widespread impact on the data security of millions of users. Grave cybersecurity incidents, like the Ministry of Agriculture and Farmers Welfare website breach and HDFC Life Insurance data leak, have raised concerns about the detection and response capabilities of India’s cybersecurity authorities. This series will list the various cybersecurity incidents that occurred during a quarter in the country and our actions in response to them. We highlight the need for organisations to prioritise proactive measures, transparency, and public awareness to mitigate risks and foster cyber resilience in an interconnected digital world.

The grim state of cybersecurity in India

The urgent need to operationalise the Digital Personal Data Protection Act (“DPDPA”), 2023 is underscored by the increasingly pervasive threats to individuals’ digital privacy and security. As technology advances, so do the methods and scale of cyberattacks, leaving individuals and organisations vulnerable to data breaches, identity theft, and surveillance. A comprehensive, robust, and rights-respecting data protection legislation is essential to establish clear guidelines, regulations, and enforcement mechanisms to safeguard personal information, ensure transparency in data handling practices, and hold entities accountable for any lapses in cybersecurity protocols. The inadequacies of the DPDPA, 2023 in safeguarding data privacy and empowering data principals in the event of a breach as well as the current grim state of cybersecurity in the country reveal concerning gaps and vulnerabilities. Despite efforts to bolster cybersecurity measures, including establishing dedicated agencies and initiatives, challenges such as insufficient resources, outdated infrastructure, and a shortage of skilled professionals persist. The exemption of the Indian Computer Emergency Response Team (“CERT-In”), the nodal authority assigned to monitor data breaches, in 2023 from the Right to Information (“RTI”) Act, 2005 raises serious concerns about the accountability of an organisation whose actions or inaction is consequential for the status of cyber security and individual privacy in the country. This move is certainly not in the public interest as it weakens the rights of the people by diluting an Act meant to empower them. 

Data breaches and vulnerabilities in 2024 Q4

1. Signzy data leak: Signzy, one of India’s leading companies which offers identity verification services to financial institutions reportedly suffered a data breach which compromised the customer data of some of their clients. The hack allegedly involved the use of an ‘information stealer malware,’ which resides in an infected computer and sends data to the hacker, which can include login credentials and personal information. In response to the breach, Signzy acknowledged that it was aware of the security incident but declined to comment on whether customer data had been exfiltrated, nor did it clarify what data and which clients had been affected by the leak. Additionally, the company’s spokesperson also stated that they had hired a “professional agency for conducting the security incident investigation.” Following this, CERT-In stated that it was aware of the incident and “in process of taking appropriate action with the concerned authority.” Read our letter to CERT-In here. 
2. HDFC Life Insurance data breach: It was reported that HDFC Life Insurance, a long-term life insurance provider headquartered in Mumbai, suffered a massive data breach affecting 1.6 million customers. The unidentified threat actor exposed sensitive customer information, including policy numbers, names, mobile numbers, dates of birth, email addresses, residential addresses, and health status. According to the research wing of CyberPeace, the stolen data was sold on a Dark Web forum for 200,000 USDT (Tether cryptocurrency). The data was offered in smaller batches, starting from 100,000 records, with opportunities for private negotiations for buyers seeking personalized deals. In response to the breach, HDFC Life acknowledged the breach on November 25, 2024, during its regulatory filings, noting that an unknown source had shared customer data fields with the company. The company also launched a detailed investigation with information security experts to identify the root cause and implement corrective measures. We wrote a letter to CERT-In, bringing this breach to their notice and highlighting that such a data breach can put the customers at risk of financial loss.
3. Ministry of Agriculture and Farmers Welfare website breach: A significant data breach reportedly affected the Ministry of Agriculture and Farmers Welfare (“MoA & FW”) website which was hacked by U31, a Thai gambling platform. Users attempting to access the official website were presented with a banner advertising the gambling platform, which had unlawfully replaced the legitimate government content. The attack not only disrupted access to essential governmental resources but also raised concerns regarding the security and integrity of the Ministry’s digital infrastructure. Notably, the website displayed a notice of “scheduled maintenance” from 11 am to 10 pm on November 28, 2024, which may have been a cover for the unauthorized intrusion. However, the MoA & FW did not officially comment on the matter. We wrote a letter to CERT-In highlighting the inadequate cybersecurity measures being taken by the Ministry. 

PlugTheBreach: IFF’s data breach tracker

The multitude of recent data breaches and leaks underscores the critical importance of robust cybersecurity measures in today's digital landscape. From breaches compromising sensitive personal information to vulnerabilities in major databases and platforms, these incidents highlight the pervasive risks individuals and organisations face. You can find a list of all the non-exhaustive data breaches in the country since 2020 on a publicly accessible database, PlugTheBreach, a small-scale IFF initiative aimed at covering, reporting, and tracking data breaches in India to increase transparency and public awareness. 

Important Documents 

1. Letter to CERT-In on Signzy data breach dated December 13, 2024 (link)
2. Letter to CERT-In on HDFC Life Insurance data leak dated December 13, 2024 (link)
3. Letter to CERT-In on Ministry of Agriculture’s website breach dated December 13, 2024 (link)