US-based question and answer platform Quora announced that personal data of almost 100 Mn Quora users was breached with a “malicious” third party gaining unauthorised access to one of the company’s systems.
In an official blog post, the company stated that account information, including names, email addresses, encrypted passwords, data imported from linked networks, user questions and answers, direct messages, etc, might have been compromised during the breach.
“We believe we’ve identified the root cause and taken steps to address the issue, although our investigation is ongoing and we’ll continue to make security improvements,” Quora CEO Adam D’Angelo said in the blog post.
D’Angelo added that in order to protect its users, Quora is logging out all those who might have been affected by the breach and will invalidate passwords that were being used for authentication purposes.
California-based Quora was founded in 2009 by Adam D’Angelo and Charlie Cheever, both former Facebook employees. The platform enables users to come together and discuss topics of common interests. People can post a question on any topic on the platform and get answers from people familiar with that topic.
The company entered the unicorn club with a valuation of $1.8 Bn after a Series D round of funding led by Collaborative Fund and Y Combinator’s Continuity Fund.
According to a 2018 report, about 20.7% of Quora visitors are from India. In order to strengthen its presence in the country, it launched a Hindi platform in June for its Indian users. At present, the number of Indians who have been affected by this breach is not known.
Inc42 is still trying to understand the impact of the breach on Indian users and the story will be updated as and when we get more details.
A Year Of Data Breaches
This year, a number of data breaches affecting thousands of people across the globe have been reported. Some of the major ones are:
- In April, social media company Facebook admitted that the Facebook-Cambridge Analytica data breach affected about 5.62 lakh Indian users.
- In May, personal data of an estimated 8.9 Mn Indians was leaked via the website of the Employees’ Provident Fund Organisation (EPFO).
- In April, security researcher Srinivas Kodali revealed that personal details of nearly 1.34 lakh people of Andhra Pradesh were publicly available on Andhra Pradesh State Housing Corporation website.
- In July, the personal details of Telecom Regulatory Authority of India (TRAI), Ram Sewak Sharma, were leaked after he posted a challenge on Twitter revealing his Aaddhar number.
The Draft Indian Personal Data Protection Bill
In view of the rising data breach incidents, the Centre introduced the draft Indian Personal Data Protection (PDP) Bill 2018 in July. One of the provisions of the Bill mandates private companies to store all personal data of users locally in Indian servers.
Recently, IT and law minister Ravi Shankar Prasad had said that the Centre intends to hold a wide consultation on the draft PDP bill. As the feedback deadline — October 10 — is over, the minister indicated that the government might constitute an inter-ministerial committee for further recommendations which may delay enaction of the Bill.
However, Prasad said that the government intends to introduce the bill in the Winter Session of the Parliament, which will start on December 11.
The European Union (EU), meanwhile, has expressed reservations about the data privacy bill. In an online submission to the MeitY, Bruno Gencarelli, the head of the International Data Flows and Protection Unit of the European Commission (EC), listed seven detailed reservations about the draft bill.
“These data localisation requirements appear both unnecessary and potentially harmful as they would create unnecessary costs, difficulties, and uncertainties that could hamper business and investments,” wrote Gencarelli.
Recent reports stated that the Indian government is considering high penalties for companies who fail to immediately report data breach incidents that affect the Indian users.