Taj Hotels, owned by the Tata Group, reportedly fell victim to a significant data breach which allegedly exposed personal information of 1.5 Mn customers
The incident underscores the persistent threat of data breaches in large organisations, prompting a closer examination of cybersecurity measures across industries
According to experts, the surge in cyberattacks on Indian enterprises are driven by reliance on third-party platforms, interconnected ecosystems, lack of security hygiene, among others
At a time when technological advancements are boosting the means for business expansion, India’s enterprises are increasingly confronting a serious challenge – data breaches. These breaches are becoming alarmingly frequent, affecting a wide range of organisations from burgeoning startups to established corporates.
In the third quarter of 2023, India emerged as the 10th most breached country worldwide, with a significant count of 3,69,000 leaked accounts, according to cybersecurity firm Surfshark. It was the third consecutive quarter in 2023 when India found a spot in the top countries globally for data breaches, despite the breach rate declining 74% from 1.4 Mn leaked accounts in Q2.
A diverse array of businesses, including furniture rental startup Rentomojo, rail ticketing app Railyatri, stock broker AngelOne, and even government databases like Aadhaar and Cowin, have suffered data breaches in 2023 so far.
Last week, Taj Hotels became the latest entrant to this list. The luxury hotel chain, owned by the Tata Group, reportedly fell victim to a significant data breach which allegedly exposed personal information of 1.5 Mn customers.
So, the question is what is driving up these incidents of data breaches. Experts point to a combination of factors for this increase. Key among these are the dependence on third-party platforms for securing data, the varied levels at which data is handled within organisations, the use of corporate email IDs for non-corporate activities, and the complex web of interconnected systems and entities within these large enterprises.
But before we delve further into this, let’s understand what exactly happened in the Taj Hotels case.
How The Taj Data Breach Came To Light
As per an ET report, the breach was orchestrated by an individual using the moniker “Dnacookies”, who demanded a ransom of $5,000 (approximately INR 4.16 lakh) for the complete dataset. The compromised information reportedly included addresses, membership IDs, mobile numbers, and other personally identifiable details, raising concerns about the potential misuse of such sensitive data.
The attacker chose Breachforums, a platform known for hosting illicit data sales, to make the ransom demand. This marketplace, previously targeted and taken down twice, is known for being a preferred choice for threat actors seeking to sell compromised data. Last month, when reports surfaced about sensitive information of 81.5 Cr Indians, including Aadhaar and passport, being allegedly available on the dark web, a hacker named ‘pwn0001’ disclosed the data on Breach Forums.
Coming back to the story, in the Taj case, the threat actor claimed that the consumer data was not disclosed to anyone and set forth a few conditions for the ransom negotiation, including the presence of a middle person of admin designation on the forum.
Responding to the incident, a spokesperson of the Indian Hotels Company Ltd, which runs Taj Hotels, said in a statement, “We have been made aware of someone claiming possession of a limited customer data set which is of non-sensitive nature.”
The company’s claim of ‘non-sensitive data’ raised further questions as full disclosure regarding the specific personal identification information exposed was not available beyond what was reported.
Usually, a hotel gets access to data like contact information, demography including gender, address, location, and even financial information such as details of credit/debit cards of its guests.
What Is Sparking The Surge In Data Breach Incidents?
According to cybersecurity experts, large enterprises often rely on complex networks of partnerships, including with third parties. This growing reliance on external relationships adds more risks when it comes to data security and a smart approach is required to manage these risks effectively.
When a company gives third parties access to its internal assets, the security of its data can be influenced by how well these third parties handle security. If a hacker breaches a company within the network of one of these third parties, the data that the compromised company has access to comes at risk, as per them.
“Post-Covid, a plethora of products and service platforms have emerged, providing value-added services to large enterprises. These services include areas such as customer loyalty and retention, aiding in enhancing control over customer profiles. When integrated with back-end engines, the cohesive system becomes reliant on third-party capabilities to furnish a secure platform,” Pankit Desai, CEO of cybersecurity solutions provider Sequretek, told Inc42.
Furthermore, the use of corporate email IDs on non-corporate platforms is also risky. In the event of a breach on these external sites, the potential exposure of email IDs and their passcodes becomes a concerning reality, Desai added.
According to Bala Venkatramani, cofounder and CEO of access security and governance platform Securden, the weakest link in terms of data security is always the ‘human factor’.
“The human factor, when coupled with a lack of adherence to fundamental security principles, leads to disasters. The human factor involves not just employees but also third-party contractors or partners an organisation works with,” Venkatramani said.
Organisations in the hospitality sector deal with their customers’ personal and financial data and are clearly the low-hanging fruits for hackers. Data stolen from a hotel chain could be used to attack thousands of individuals, Venkatramani said, adding that large hotel chains across the world have faced cyberattacks in the recent past and the pattern remains strikingly similar.
Another expert, who didn’t wish to be named, told Inc42 that large enterprises are experiencing a surge in cyberattacks due to their vast digital footprint and vulnerabilities in the new technological infrastructure.
The rapid deployment of complex technological systems in the course of digital transformation has introduced inherent weaknesses, making these systems attractive targets for malicious cyber activities. Moreover, the growing reliance on big data and artificial intelligence (AI) has prompted ‘hoarding’ of data with aspirations of future monetisation, the expert opined.
Social Engineering Attacks — Everyone Is A Target
When it comes to consumer-facing businesses, reputable brands are prime targets. Attackers rely on advanced persistent threats (APTs) to capitalise on recently-identified zero-day vulnerabilities, while they also use social engineering attacks, often initiated through email or SMS, to target big brands, according to Desai.
In simple terms, a social engineering attack uses psychological manipulation to get access to sensitive data via human interactions.
“Hackers research LinkedIn and launch targeted attacks. They gather information about employees and third-party contractors connected with the target organisation and send phishing emails. All they need is an unsuspecting employee or a contractor clicking the link. Then, a variety of innovative social engineering actions follow, leading to APTs. The hackers end up harvesting credentials to gain access to systems and applications,” Venkatramani explained.
In the hospitality sector, cyberattacks are predominantly fuelled by a lack of password security hygiene, which encompasses issues such as inadequate credential management, widespread password reuse across various IT assets, insufficient controls on access authorisation, insecure sharing methods like phone calls, neglect of embedded credentials in development environments, and the disregard for essential practices like robust password creation and regular rotation, Venkatramani added.
Can The DPDP Act Address Such Incidents?
To address the rising cases of cyberattacks and fix responsibilities, the Indian government came out with the Digital Personal Data Protection (DPDP) Bill. The Bill, which seeks to protect Indian citizens’ private data, was enacted in August.
Experts believe that the DPDP Act has the provisions to address data breach incidents and take remedial measures quickly in case of cyberattacks. However, the delay in releasing the rules for DPDP Act for public consultation may result in a delay in its implementation, as per reports. The Act is currently scheduled to come into effect from January 1, 2024.
The DPDP Act incorporates specific clauses and provisions to address incidents involving malicious intent. Notably, it mandates that fiduciaries promptly notify both the principal entity and the Data Protection Board in case of a data breach, Tejasi Panjiar, associate policy counsel at the Internet Freedom Foundation, told Inc42, adding it is a very crucial clause which calls for swift remedial measures in case of data breaches.
As per the act, a data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data, while data principal means an individual to whom the personal data relates.
“While there’s a delay in the rules getting notified under the Digital Personal Data Protection Act 2023 (DPDPA 2023), this doesn’t mean that whatever is happening till the notification of rules may not come under scrutiny. So, anything happening at this moment, like the Taj data breach, could also fall under the scrutiny of the Data Protection Board,” said Kamesh Shekar, senior programme manager at The Dialogue.
It is pertinent to note that the Data Protection Board is empowered to impose penalties of up to INR 250 Cr under the DPDP Act. Data fiduciaries can be held liable to pay penalties for breaches due to absence of reasonable security safeguards to prevent personal data breaches.
Charting The Path Forward
According to Desai, having an understanding of data flow is crucial to counter incidents of data breaches. Data flow analysis begins with understanding the origin of data, identifying the first point of contact, and determining the entities that have access to the Internet of Things (IoT). The creation, sharing, and movement of data become crucial considerations. Examining how data is archived, stored, and the pathways it takes helps in understanding potential issues that may arise.
To address these concerns, implementing specific security measures at every step is essential. However, the granularity of these security measures appears to be lacking in Indian enterprises, he added.
As per the anonymous cyber security expert mentioned earlier, it is necessary to incorporate privacy by design in all systems to align digitally transformed architectures with an organisation’s regulatory obligations. Organisations can assess the impact on privacy through activities like Privacy Impact Assessment (PIA) or Data Protection Impact Assessment (DPIA).
With cyberattacks on the rise, organisations often focus on acquiring advanced security solutions, but the efficacy of these measures is compromised when fundamental security practices are neglected. These practices include organisations overlooking basic security measures internally and the failure of downstream third-party vendors, who have privileged access to the upstream organisation, to adhere to sufficient security protocols, as per Venkatramani.
Addressing both these aspects is crucial for Indian enterprises to fortify overall cybersecurity defences and ensure comprehensive protection against evolving cyberthreats.