A Right to Information query has revealed that the Reserve Bank of India (RBI) does not have any system to inform customers impacted by data breach incidents. The RTI was filed by independent security researcher Srinivas Kodali. Two RTIs, concerned with cybersecurity incidents at Pine Labs and Mobikwik, reveal a lot of information regarding how RBI deals with data breach incidents.
RBI doesn’t have a system of informing customers impacted by cybersecurity incidents
The RBI has ordered a forensic investigation into the Pine Labs incident. Further, no PPI (prepaid-payment instruments) holders were affected as per the report. However, had they been affected, even then the RBI would not have informed them. It does not have any process which could let it do so.
Still reviewing the Mobikwik report
As per the information, Mobikwik has submitted the audit information and the RBI is examining it. It also talks about compensation in cases of data breaches but refers to RBI’s guidelines for unauthorized transactions.
Why does this matter?
In the last couple of years, cyber crimes have increased manifold. When it comes to financial companies, they store users’ sensitive personal data. While Upstox leaked data of 25 lakh users, Mobikwik exposed data of35 lakh Indians, and the Moneycontrol data breach impacted 7 lakh Indians. The Ministry of Home Affairs had informed the parliament that India faced 12 lakh cybersecurity incidents overall in 2020, with over 2.9 lakh incidents related to digital banking.
These cybersecurity incidents do not just happen and stay in isolation. The data leaked in these incidents further helps attackers cheat people. And people are suffering losses. A study has suggested that 59% Indians suffered a cybercrime in the last 12 months of study. People have lost Rs. 4 crores in the last months in Chandigarh alone.
Unless the RBI informs users about these breaches, being the financial regulator of the country, and suggests steps to protect their data or their money, people are going to suffer losses.
“As the regulator responsible to keep financial transactions safe, RBI is duty-bound to explain the nature of data breaches in digital payment firms and educate people about various social engineering attacks they might face because of these breaches,” Kodali told Entrackr.
RBI requires affected companies to inform their customers, but the lack of clear and strict directives with regard to incident reporting lets companies evade the responsibility altogether.