Cyber Security

RBI doesn’t have a system to inform victims of a data breach: RTI

A Right to Information query has revealed that the Reserve Bank of India (RBI) does not have any system to inform customers impacted by data breach incidents. The RTI was filed by independent security researcher Srinivas Kodali. Two RTIs, concerned with cybersecurity incidents at Pine Labs and Mobikwik, reveal a lot of information regarding how RBI deals with data breach incidents.

RBI doesn’t have a system of informing customers impacted by cybersecurity incidents

The RBI has ordered a forensic investigation into the Pine Labs incident. Further, no PPI (prepaid-payment instruments) holders were affected as per the report. However, had they been affected, even then the RBI would not have informed them. It does not have any process which could let it do so.

RTI

Still reviewing the Mobikwik report

After Mobikwik denied a data breach, RBI ordered a forensic audit to examine the allegations. Kodali shared the information he obtained through the RTI on his Twitter.

As per the information, Mobikwik has submitted the audit information and the RBI is examining it. It also talks about compensation in cases of data breaches but refers to RBI’s guidelines for unauthorized transactions.

Also read: Can users claim compensation for a data breach?

Why does this matter?

In the last couple of years, cyber crimes have increased manifold. When it comes to financial companies, they store users’ sensitive personal data. While Upstox leaked data of 25 lakh users, Mobikwik exposed data of35 lakh Indians, and the Moneycontrol data breach impacted 7 lakh Indians. The Ministry of Home Affairs had informed the parliament that India faced 12 lakh cybersecurity incidents overall in 2020, with over 2.9 lakh incidents related to digital banking.

These cybersecurity incidents do not just happen and stay in isolation. The data leaked in these incidents further helps attackers cheat people. And people are suffering losses. A study has suggested that 59% Indians suffered a cybercrime in the last 12 months of study. People have lost Rs. 4 crores in the last months in Chandigarh alone.

Unless the RBI informs users about these breaches, being the financial regulator of the country, and suggests steps to protect their data or their money, people are going to suffer losses.

“As the regulator responsible to keep financial transactions safe, RBI is duty-bound to explain the nature of data breaches in digital payment firms and educate people about various social engineering attacks they might face because of these breaches,” Kodali told Entrackr.

RBI requires affected companies to inform their customers, but the lack of clear and strict directives with regard to incident reporting lets companies evade the responsibility altogether.


Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.