After suffering a massive data leak on 9 July, Indian telecom upstart Reliance Jio Infocomm has been facing the wrath of its users and independent security researchers over weak data protection standards.
The data breach, reportedly the biggest in India, affected more than 100 million Jio users and triggered a wave of calls for the country to adopt stringent data security laws. The information compromised included names, email addresses, sim activation points, Aadhaar numbers, and other details of the users.
Jio, a part of Mukesh Ambani-owned Reliance Industries, said that the telephone numbers and email addresses posted on the site called "Magicapk" appeared to be "unauthentic". They also assured that their "data is safe and maintained with highest security" and is only shared with "authorities as per their requirement".
Though the telecom giant has repeatedly denied the allegations of any data breach, a report from Reuters suggests that the company has acknowledged "unlawful access to its systems" in its police complaint.
The website, which was reportedly setup in Rajasthan by a local computer applications student, has been taken down. Several news outlets across the country have already verified the details posted on the site, confirming that the leak was real.
Need for robust data security laws
Time and again, India's cyber security framework has been questioned. Before Jio, leaked data of over 17 million Zomato (food delivery app) users were put on sale on the dark web. Even Aadhaar, a number which is unique to every Indian citizen just like US SSN, has been compromised on several occasions. According to a report from Centre for Internet and Society (CIS), as many as 135 million Aadhaar numbers have been leaked from government databases.
Pranesh Prakash, policy director at CIS, says, "A rule to report breaches exists, but it is unenforceable. It says you're not liable if you're following reasonable security practices. What 'reasonable' means is not defined".
While people have been complaining about Jio leaks on Twitter, advocates of stringent cyber laws in the country are slamming the entire situation, comparing it with breaches in Britain and United States, where strict cyber crime laws are in place and regulator-level inquiry is initiated immediately.
"We don't have full-menu data protection laws," said Apar Gupta, a Supreme Court lawyer working on data privacy issues. "We don't even have an institutional framework or expert body to implement the limited data protection regulations that do exist. It's so limited it's more accurate to say no law exists."
India, which is host to a number of MNCs, has also failed to secure the "data-secure" status from the European Union due to its weak data privacy laws.