Security Experts Discuss the Nature of Security Incident
Personal details of over 100 million customers of Reliance Jio, a large telecom company in India, were leaked and offered for sale on the dark web, according to news reports. But the company says the data appears to be unauthentic and claims it has not been breached. Some customers, however, contend they have verified the data’s authenticity.
See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach
In a new development, police have detained a man in connection with their investigation of the apparent data leak, according to Reuters.
Although the data was offered for sale on the dark web in April, it was made public on a website called Magicapk only a few days ago, according to security experts. That website has since been brought down.
Some security practitioners say the culprits didn’t want to reveal the actual vulnerability of the website. “The intention was to basically create a website and prove to Reliance Jio that they are in hold of real data of their customers,” says J. Prasanna, director at the Cyber Security and Privacy Foundation Pte Ltd.
Magicapk apparently was registered in May 2017 by Godaddy. No one has come forward to take responsibility.
In a statement, Reliance Jio denied getting breached. “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken,” the statement read.
Some customers of Reliance Jio, however, claim they have verified the authenticity of the data by typing their mobile number on Magicapk. The site had a pursuit box where one can enter any Jio number and get subtle elements of a client. “I put out my mobile number and rest of my data was displayed, which included the Aadhaar number, email ID and SIM activation date and time,” the CISO of an IT firm, who wants to remain unnamed, tells Information Security Media Group.
It remains unclear whether all of the data about every customer was compromised or a subset, because a few queries on the Magicapk site returned blank results, say experts.
Reliance Jio has hired the consultancy EY to investigate the matter, according to news reports.
Reliance Jio did not respond to a request for comment.
Impact of the Breach
Reliance Jio customer data that was apparently leaked included email ID, SIM purchase and activation date as well as Aadhaar number.
Although some customers are concerned that leaked Aadhaar numbers may lead to further breaches, some security practitioners dismiss those concerns (see Security and Privacy Challenges of Aadhaar-based Authentication). “I don’t see a major impact with just Aadhaar number leakage,” says the CISO of an education firm, who wished to remain anonymous. “One would need biometric verifications or other details. Nevertheless, a breach is a breach and this should not be taken lightly.”
So, What Happened?
Some security experts are offering theories about how the apparent data leak might have occurred.
The CISO from an education firm believes there’s a possibility that Reliance Jio was hacked by criminals demanding a ransom. “I am assuming they refused to pay leading the culprits to reveal the data,” he says.
But the CISO of an IT firm, who asked not to be named, suggests the leak may have stemmed from a phishing campaign to gain an insider’s credentials, as has been common in many other major data breaches.
“More often than not, because of lack of awareness, people handling sensitive personal information click on links that they shouldn’t. Though phishing emails are hard to detect, people don’t usually understand that unintentional random clicks can lead to big damage for the company,” he says.
A security researcher, who asked not to be identified, has another theory: A third party managing data for Reliance Rio may have been breached. “You expect proper security practices in place in a company like Reliance Jio. However, things can get a bit tricky at the vendor side in case they don’t have the best practices in place,” the researcher says.
Risk Mitigation Approach
If it turns out that Reliance Jio, was, indeed breached and its data security was subpar, it’s far from certain that the company would face government sanctions.
“Under provisions of IT Act 2008, in case a company is negligent in protecting the ‘sensitive personal information’ under Section 43A, a legal action can be undertaken,” says Biju Nair, executive director, Software Freedom Law Centre, a donor supported legal services organization that brings together lawyers, policy analysts, technologists and students . However, in this case, the data apparently leaked may not qualify as sensitive personal information, he says.
“Reliance Jio will also be liable under Section 72A if it is found to have violated its contractual terms with customers,” he says. But the government rarely takes this approach because customers rarely file complaints due to lack of awareness of the regulation.
Because of these difficulties, Nair advocates adoption of a strong Indian data protection law along with appointment of a data commissioner to help enforce it.
In the meantime, to help prevent breaches, Indian organizations should carry out regular APT assessments, says Rohan Vibhandik, a cyber intelligence expert. “In Europe it’s done every six months. It’s high time Indian organizations too start implementing such measures,” he says. “We have competent CISOs. But there is lack of maturity in terms of security. So he alone can’t be blamed.”
The unnamed CISO of an IT firm says Indian organizations should hire white hat hackers to conduct regular vulnerability testing. “The red teaming exercise is must,” he says. “It’s no longer a choice. Things over the past few years have moved very fast. The only way is to think and act like a hacker.”