Over a lakh usernames, phone numbers, emails, addresses and order histories were exposed. And FreshMenu chose not to tell its customers.
A recent report confirmed that the online food delivery startup, FreshMenu, suffered a data breach in 2016, where personal data of around 1,10,000 users was compromised. I was one of those people whose personal data was breached.
The names, phone numbers, email addresses, home addresses and order histories of the users were exposed. At that time, FreshMenu chose not to tell their customers until the website haveibeenpwned.com decided to publish details of the breach last week. This incident highlights why India badly needs a breach notification law that puts the user in the centre.
Regulators such as RBI mandates that companies under their purview report data breaches to them (Note: the Computer Emergency Response Team also has similar rules, however, it isn’t clear if this is mandatory). None of them mandates letting us, the citizens, know about data breaches.
This isn’t the first time a data breach has occurred and it won’t be the last. While it is important for FreshMenu to introspect and come up with a strategy to improve their security strategy, it is also important for us, as a society, to think about how we need to handle data breaches. While breaches are bad for business (reduces user trust, shifts focus from adding new features, and so on), they are worse for users.
Just leaked phone numbers can also be used to gather additional information about you. However, a combination of the leaked information, in addition to publicly available data (such as details on social media), can easily lead to undesirable consequences including receiving spam, becoming a target of social engineering attacks, and so on. If more sensitive data such as passwords or credit card details are stolen, direct financial or reputational impact becomes a possibility.
Also read: Aadhaar to digital wallets: Digital India needs more security to deliver
A public data breach can harm a company’s reputation. It also places a target on the company’s back for other hackers to try their hand at attacking them. So, when a company gets breached, one can argue that it’s in their interest to keep it quiet (it’s a different matter altogether that most stolen data is available on the black market and hence “keeping quiet” forever is improbable). However, this leaves the user exposed. If the user does not know her data was breached, there is nothing she can do to safeguard herself (e.g.: change passwords, cancel her credit cards, etc.).
In many places, including the US and Australia, a consensus has emerged that the only way to make sure compromised companies act in a responsible manner is to enforce it through law. For instance, the state of California “requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorised person”.
The ongoing conversation about the data protection bill in India provides us with a good opportunity to fix our loopholes.
Unfortunately, the draft bill submitted by the Justice Srikrishna Committee proposes a watered-down breach notification framework (Section 32), where the data protection authority (DPA) and not the data subject needs to be notified. The DPA in its wisdom can decide on a case-by-case basis to publish this to the victim.
This is a bad idea for two reasons: One, the DPA needs to have a massive human capacity to be able to process each notification and then intelligently decide which ones need to be made public. This will build a bloated, centralised bureaucratic structure that will struggle to do its job in an efficient manner. Two, any system that resorts to case-specific decision making encourage rent-seeking behaviour. Depending on the impact of disclosing the breach, it may be tempting for a compromised entity to pay off an officer than go through the process of dealing with public outcry.
Also Read: India needs a robust policy on data protection, not empty promises
A key aspect of privacy in the internet age for users such as myself, is to know where my personal data resides. When I allow an app (such as FreshMenu) to use my private information, I am trusting them to use it responsibly. When a breach occurs, that trust is broken and the damage is irreversible. Now, my personal data is not just with the hackers who stole it, but possibly available for anyone who is willing to pay for it. At least if we are told about it, we can take remedial action. Unfortunately, FreshMenu chose to behave differently.
It is important to put the onus on the compromised entity to make the breach public. A transparent model where it is easy for a compromised entity to know if they need to report the breach to the public (or affected data subjects) will help immensely.
While it is easy to put all the blame on breached entities (such as FreshMenu), it is important also important to note that a breach brings with it a lot of fear and uncertainty. A good breach notification law will make it easier for the breached entity to report the issue responsibly, provide compromised users timely warnings to take remedial action, and more importantly, move on from the breach to continue running their businesses.
The author works in the cyber security sector out of Bengaluru, and helps customers in India and other parts of Asia build their application security practices.