A recent data breach on the leading e-grocer BigBasket impelled me to write this blog. Although BigBasket is reported to have lodged a complaint with the city’s cybercrime cell, a potential data breach reports having compromised the details of 20 million (or 2 crore) users, as per the US based firm Cyble.
The security attacks and data breach wreak havoc in an organization, which will not only adversely impact their business but also cause a downfall in goodwill and the reputation of an organization. Cybercrime has infiltrated numerous corporate network, and the range of attacks has not spared the government networks.
What is a data breach?
As defined by the department of health and human services in the USA , “A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used
by an individual unauthorized to do so.”
These data breaches could be the intentional or unintentional release of personally identifiable information (PII). The report  further states that PII could be “any information that can be used to distinguish or trace an individual’s identity, such as name, date, and place of birth, social security
number, or other types of personal information that can be linked to an individual, such as medical, educational, or financial information”.
Other sources of the data breach
People at large need to be aware that the mode of a data breach is not limited only by a cyber attack on the servers. The misplacement of IT assets like a laptop, mobile phones, or even careless disposal of these IT assets and documents may also lead to a data breach. Various IT companies, including those I have worked for over two decades, have implemented data encryption technology and use of VPN to avoid any misuse of data in case of assets being lost or stolen. However, implementing encryption technology on a personal device like a mobile phone or IoT environment may not be an easy task.
Hence, it is a crucial step and every challenging task for organizations to protect business sensitive, propriety data from any misuse or hacks.
Cost of a data breach
A recent 2020 report by IBM  indicates that in India, the total cost of breach amounts to $2m (or ₹14 crores) as compared to $3.86m average of global figures. However, the time to identify and contain the breach averages to 313 days in India.
The impact on society at large due to the data breach
A consumer might create a user account with an online marketer for the purchase of goods or to consume a service and usually provide all necessary information like name, contact number, address, date of birth (or age) to comply with their requirements.
. There is a likelihood of sensitive information being leaked, e.g. if a consumer made a transaction and entered their credit card details, it could be breached.
. Some people have a habit of using the same user name and password for many or all of their online accounts. In such a scenario, gaining access to the credentials of one account is enough to cause significant harm to any individual.
. With this kind of data breach, the question it raises to our minds is the communication strategy adopted by the companies to inform its probable affected users. For example, how will companies directly communicate with an affected end-users directly and take preventive measures by changing their account password?
Moreover, during this pandemic time, a large number of people are working from home, and we all as consumers prefer to do the transaction online and be safe instead of venturing out for shopping of grocery and daily chores. With more consumers now making online purchases with these online grocers and eCommerce sites, it has made transactions and purchases convenient, including making mobile payments.
Experiencing such a paramount data breach with BigBasket, this might lead to technological instability, lack of trust and losing their probable futuristic investor (Tata Group).
Other instances of a data breach
As per the World Economic Forum’s Global Risk Report 2019 , the largest massive breach of personal information was in India, with 1.1 billion Aadhar records potentially compromised.
In the era of networked computing, Dr Reddy’s Laboratories Ltd, a pharmaceutical company on 23-Oct-2020 had to isolate its data centre as a preventive action following a cyber attack  on its information technology infrastructure. This incident occurred immediately after the company received regulatory approvals to conduct a clinical test for COVID-19 vaccine. This cyberattack had an impact on its falling stock prices.
Next in line was Facebook, reported  to have a vulnerability that enabled attackers to exploit 50 million users data in 2018.
Another largest security lapse was reported by Indane, India’s gas company, exposed million on Aadhar numbers .
In 2020, Edutech startup Unacademy reported a data breach with 22 million user accounts being compromised.
In 2017, Target in US to pay $18.5 to 47 states in security breach settlement . This settlement was the result of an investigation of a data compromise of millions of consumers in 2013.
Steps organizations take
IT organization and IT-enabled companies take various measures to prevent the risk of exposure to theft and a data breach. The challenge for companies is related to the security of sensitive data in an environment where employees seek anytime, anywhere and any device access the data, for example, accessing emails and office documents.
The crucial step for companies is to appoint a Chief Information Security Officer (CISO) and the team
with a critical role to be responsible for an organizations information and data security, which includes:
- A security-centric team with security operations to perform a threat assessment on a real-time basis and to discover the data and secure it appropriately.
- Keep abreast of cyber risk, cyber intelligence and potential security problems. A continually evolving threat landscape further compounds this as hackers use sophisticated tools.
- Ensure business data is safe, not stolen or misused, prevent from any probable fraud and have complete visibility over the end-user activities.
- The design of IT and network infrastructure is as per the best industry guidelines and security practices.
- Ensure that only authorized employees have access to the required data with the help of implementing identity and access management.
- Respond to security incidents by performing regular audits and root cause analysis, analyzing scenarios to prevent any occurrence and reoccurrence of any crisis or data loss.
- The most crucial aspect is advocating security principals within the leadership team and the governance of security practices and processes in the organization and ensuring the security initiatives / programs are executed smoothly with the management buy-in.
- Comply with security-related regulatory and legal requirements of business and clients.
In today’s world, IT infrastructure company have a heavy reliance on data integrity. Data is secret, confidential and valuable at a different perspective and governed by a different law. It is worth mentioning that Consumerism will take further shape and governance to be in place as part of the Consumer Protection Act 1986, precisely Right to Safety and Right to be informed. The industry best practices can be adopted by organizations to safeguard the devices and prevent data breach by enforcing policies and process which includes performing regular audits (both internal and external), 24×7 remote monitoring of devices including bring your own devices (BYOD) and alert to generated in case of any issues found, conducting regular training to its employees, making it a culture of the
organization and making them aware of the best practices to follow (e.g. reporting immediately in case of loss of equipment, avoiding visiting any unknown websites), keeping updated the security softwares (like anti-virus and firewall), using encrypted data. It is critical that companies maintain customer trust at all times and use innovative methods to prevent incidents related to cybersecurity and data breaches.
Disclaimer: The views, opinions, and content on this blog are solely those of the authors. ISME does not take responsibility for the content which are plagiarized or not quoted.