Cyber breaches may earn PSUs hefty fines

Sensitive personal data of around 30 million IRCTC users were reportedly available on the dark web for sale.

December 31, 2022 01:10 IST

Hackers are using Google Ads to target unsuspecting users searching for popular software online. (Photo Credits- Reuters)

Data breaches could turn costlier even for government entities and public sector units (PSUs) once Data Protection Bill becomes a law. They will have to strengthen their data security networks because they may end up paying penalties of up to `500 crore in case of cybersecurity breaches.

This particular provision in the draft Bill assumes significance because of the recent reports of massive data breaches by government entities like AIIMS and IRCTC. Though these breaches were due to external hacking, these would not be treated as a ground for being exempted from paying penalty.

“The draft Bill does not provide any exemption to government entities for data breach,” minister of state for electronics and IT, Rajeev Chandrasekhar had recently told FE.

Also read: Consumer durable cos to drive double-digit growth in 2023, backed by demand for premium & feature-led products

Sensitive personal data of around 30 million IRCTC users were reportedly available on the dark web for sale. The leaked data that included details like email, cellphone number, address, age and gender was posted in a dark web hacker forum for sale at $400 per copy. IRCTC, however, denied the breach data was obtained from its servers. Yet it notified CERT-In regarding a possible leak, as required by the existing IT Act.

“In this connection, it may be submitted that the Railway Board had shared a possible data breach incident alert of CERT-In to IRCTC reporting a data breach pertaining to Indian Railways passengers…On analysis of sample data, it is found that the sample data key pattern does not match with IRCTC history API. Reported/suspected data breach is not from the IRCTC servers,” IRCTC said in a statement on Thursday.

This isn’t the first instance of alleged data breach at IRCTC. There were reports of similar data breaches by the organisation in 2016 and 2020. In both these instances, sensitive data of passengers were allegedly posted on sale on the dark web for sale. However, in both these instances, IRCTC had denied any such breach.

Also read: Manufacturers and exporters urge the Textile Ministry to set up a textile wet processing park in Karur

Recently, the most devastating cybersecurity attack on the country’s premiere hospital, AIIMS in Delhi took down around 100 critical servers in a typical Denial of Services (DoS) attack. The cyber attack on AIIMS Delhi held servers for ransom and compromised the personal data of millions of patients.

Hackers reportedly demanded a ransom of up to `200 crore for releasing the server control. AIIMS said in a statement last month that the attack originated from Chinese hackers. The premiere hospital also fired two cybersecurity analysts who were tasked with securing the systems.

Hackers have been increasingly targeting PSUs and the government of late. Data gathered by cyber security firm CloudSEK showed that the number of attacks targeting the government sector has increased by 95% in the second half of 2022, as compared to the same period in 2021.

India, the US, Indonesia and China continued to be the most targeted countries in the past two years. Together, these four countries accounted for almost 40% of the total reported incidents in the government sector, CloudSEK said in a report on Thursday.

Although the primary motive of most of these hackers is extracting data and selling it for monetary benefits, hacktivist groups have been more active in 2022, CloudSEK added.

TOPICSindustry news PSU

Get Live Share Market updates, Stock Market Quotes, and the latest India News and business news on Financial Express. Download the Financial Express App for the latest finance news. .

This article was first uploaded on December thirty-one, twenty twenty-two, at ten minutes past one in the night.