The Ridiculous 17.5 Cr for a Data Breach

The 17th edition of the ‘Cost of Data Breach’ report researched by Ponemon Institute and published by IBM was recently released. The report offers a lens into several factors that could increase and help mitigate the constantly rising cost of data breaches globally. 

The report, based on real-world data, was collected from 550 organisations between March, 2021 and March, 2022 and concluded that on average, 29,500 records were breached in India by March 2022.

The data breach cost averaged INR 176 million in 2022, reaching an all-time high. This represents a 6.6 per cent increase from 2021 when the average cost of breach was INR 165 million. The average cost has risen to 25 per cent from INR 140 million in the 2020 report.

Viswanath Ramaswamy, vice president, technology, IBM Technology Sales, IBM India–South Asia, says, “It’s clear, businesses cannot evade cyberattacks. Keeping security capabilities flexible enough to match attacker agility will be the biggest challenge as the industry moves forward.”

To stay on top of growing cybersecurity challenges, he added that investment in zero-trust deployments, mature security practices and AI-based platforms could help make all the difference when businesses are involved in the attacks.

Third-party involvement, cloud migration, IoT and OT (operational technology) were the factors associated with the highest cost increase, the findings show. 

Recent breaches in India

Recently, Cleartrip, one of India’s leading travel booking platforms, confirmed a case of data breach after hackers claimed to post stolen data on the dark web. However, the exact details of the stolen data—whether the data was sensitive is yet to be revealed.
 

Mozilla’s security tracker, Firefox Monitor, which informs users if their mobile number or email has been compromised in a data breach, confirmed that Paytm suffered a data breach in 2020.  This data—of more than 3.4 million users—has been discovered online. 

According to a report by Firefox Monitor, the data breach compromised information such as the user’s phone number, email address, purchase history, gender, date of birth, location and income levels.

Fortunately, payment information such as saved cards was not compromised during the data breach.

The perpetuity of cyberattacks also sheds light on the ‘haunting effect’ data breaches typically have on businesses, with the IBM report finding that 83 per cent of organisations are experiencing more than one data breach in their lifetime globally.

Recently, Uber admitted that it covered a massive data breach in 2016 that exposed data about approximately 57 million users and 600,000 drivers’ licence numbers.

India is one of the biggest targets with its large and vulnerable tech-connected people. Well-known companies like Razorpay, Justpay, PineLabs and Mobikwik are all suffering at the hands of cyber criminals, costing billions worth of damages in data breaches and exposing the sensitive data and credentials of the citizens.
 

With over 1.3 billion businesses registered in India and IT spending projected to reach USD 95 billion in 2022, the economy is an attractive target paired with a general lack of existing and upcoming legislation directed at breach disclosure policies.

Another recent survey by Munich Re revealed that India is amongst the three most affected countries besides China and South Africa in cyber attacks. 

Of the 14 countries surveyed, India was the highest country with C-level respondents—92 per cent—that are most concerned about a potential cyber attack on the company.

What are the authorities doing?

Currently, India does not have a broad, all-inclusive legal framework for data protection. The Information Technology Act 2000 (IT Act) and the Information Technology Rules 2011 framed under the IT Act regulate the collection, use, processing and transfer of personal data and sensitive personal data in India.

The IT Act does not set up a regulator to oversee the implementation of data protection—similar to a data protection authority under the GDPR. However, under section 70B of the IT Act, the government has established the Computer Emergency Response Team (CERT-In) to analyse, forecast and respond to cybersecurity incidents such as unauthorised access, disruption and use of a computer resource. 

The CERT-In is empowered to investigate data breaches, and non-compliance with the directives of the CERT-In has financial and criminal penalties.

Announced in the Union Budget 2017-18 and yet to be made operational, CERT-Fin ​​(Computer Emergency Response Team) would be established by the Reserve Bank of India (RBI). The independent body is expected to work closely with all financial sector regulators and stakeholders on the issue of cyber security.