New Delhi: Days after reports of millions of patients’ data leak from an unprotected server of Dr Lal PathLabs, the diagnostic centre clarified that the leak of patient data reported in the media involved only 1 in 200 patient records held by the company. However, it did not clarify exactly how many patients’ data was affected by the incident.
Earlier this week, a cybersecurity expert from Melbourne claimed that the data was exposed for around a year and he estimates the number of patients whose data was exposed could run into millions.
The420 spoke to cybersecurity experts and researchers to find out more about the issue of data leaks and privacy in India. Here is what they have to say.
Dinesh O Bareja Cyber Security Specialist & V-CISO told The420 the country can control cases of personal data leak by awareness and legislation.
“Forward-looking laws should be enacted and courts should be able to hear and dispose of cases swiftly,” suggest Bareja. However, he said that there is a big black hole in the police department in terms of skill, policy, attitude, transparency and much more.
Taking about Dr Lal Pathlabs data leak, Bareja said, “Such leaks in foreign hands or criminals are a potent weapon.”
“In Dr Lal Pathlabs case, imagine a situation where the health reports of high ranking government or defence officials reach a foreign agency and they use it to compromise that person or destroy the reputation. Using such information may be an enemy state agency can use it to interfere or influence the promotions of some high ranking personnel. This is one use case but there are many nefarious uses for personal data,” Bareja explained.
He said the skillet to hack into these databases is available in plenty in India but our researchers are not researchers in the true sense of the word. However, relating to this incident one would have only needed the skill to expertly search for misconfigured AWS accounts.
Bareja who has closely monitored Indian cybersecurity polices for years said many firms which I have seen have shown that they are very serious but the seriousness is skin deep. We Indians have lived with jugaad for so long that we still have the same mindset and we think God will take care of us if we go and offer 101 rupee prasad.
Highlighting the role of Indian companies in managing their customers’ data, Nitin Pandey, a Lucknow based Cyber Security Researcher said most of the Indian firms are not serious about data protection. The more India is being digitalized, the more Cyber attacks and new tactics are being adopted to attack the Indian companies. Lack of awareness about Security and Protection is a major issue in companies.
“It is shocking that patients’ data were stored without any password on the server. This allowed anyone to access the details of the patients. The leak exposes their security preparedness and how the basic security features’ were ignored by the technical team of the lab,” Pandey said who is also Chairman of National Information Security Council.
Showing a way forward Pandey said, “Indian firms should spend on penetration testing and periodical security audits instead of going for the lowest and cheapest available vendor. The digital world is always evolving so it requires regular security audits which can help in securing the digital infrastructure of companies. Awareness and training of employees is also the need of the hour.”