Just one month into the year, some Indian organizations didn’t choose Data Protection and Security in their New Year's resolution.
The scary part is that even though these organizations have been informed about these breaches of customer information, they haven’t acknowledged this not let their customers know that their data is floating around the Dark Web marketplace. It’s also surprising that these breaches don’t get enough coverage in Indian media.
Here are some of the more prolific breaches which I have come across in the past month:
If you’ve are one of the 1.2 million customers who’ve travelled on Spicejet, your name, email and phone numbers have been breached. They were left in a web exposed database with an easily guessable password! Apparently, until the security researcher contacted CERT-In, SpiceJet didn’t take any action, even though the company was informed earlier. (source)
If you’ve ever bought mobile cases or accessories from the online retailer DailyObjects, customers' personal information has been breached, including name, email, mobile number, and physical addresses. I was notified of this by Have I been Pawned, a service I subscribe to, to let me know of breaches. However, there has been no notification from this retailer about this breach.
Indian Health Care Providers
A few health care records, X-rays and scan images have been left exposed on the internet by Health Care providers in India – these include some bigger known names like Breach Candy Hospital. These have mostly been due to bad password policies and server misconfiguration, which caused sensitive data like this to be left exposed to the internet. (source)
Data leaked include the patient’s name, ID numbers, date of birth, medical history, medical images, physician names, and more. Quite a lot of personal information which you’d not want reaching the wrong hands.
To give you an idea of the number of records that have been exposed, here are the numbers from the report which security research company Greenbone published.
This is a sizable chunk of data getting breached in just the first month of the year. Let’s see whether the situation improves over the year as companies get more security focussed. If you’ve come across other breaches, do let me know by leaving a comment.