India's Growing Breach PotentialKroll India MD Reshmi Khurana on the Indian Breach Landscape
With rising Internet penetration, comes the threat to digital identities and information being held in trust by the third-parties enabling this digital transformation. This risk can be difficult to grasp for individuals who have never had a digital identity. Yet, as vast swatches of Indian populace get online for the first time using mobile devices, the threat of a major data breaches is becoming real and imminent.
To this point, breaches in India are largely limited to rudimentary data theft with lapses happening on the people and process side of the equation, versus sophisticated hacking attacks, says Reshmi Khurana, Managing Director for Kroll Advisory Solutions India, a corporate investigations and risk consulting firm.
"We haven't seen any major data breaches yet in India," Khurana says. "So far it's been small scale data theft with nothing on the same level as a Sony or Home Depot. But with the market growing rapidly, this issue is set to become critical."
The logic is simple, she says. As more of our lives become digital, and dependence on cashless transactions and credit card increases, many non-traditional business are going to hold increasing amounts of data, she says. For instance, Indian credit card usage is a largely urban phenomenon, and organized retail in India is nowhere near as huge as the west and cannot be compared to Target or a Home Depot. But as these trends accelerate, the profile of businesses holding sensitive customer data as lucrative targets will see a commensurate rise, she predicts.
In this exclusive interview with Information Security Media Group, Khurana shares insight on the data breach and fraud landscape in India, comparing it to more mature markets where Kroll has expertise. She speaks about:
- The difference between breaches in India and the west;
- The underground data market in India;
- Breach liability and the traction for breach disclosure in India.
Khurana is the Managing Director and Country Head of Operations for Kroll Advisory Solutions in India. She has more than 13 years of experience in the US, South Asia and South East Asia conducting complex corruption investigations, litigation support and due diligence on the management, operations and business models of organizations. Her clients include asset management companies, corporations in the mining, oil & gas, consumer packaged goods and pharmaceutical industries and law firms. Prior to joining Kroll, she was a consultant with McKinsey & Company in India.
VARUN HARAN: What does the data breach landscape look like in India. and how does it compare to the rest of the world where Kroll has expertise?
RESHMI KHURANA: I feel the technology environment here is still nascent as far as data theft and breaches are concerned. The type of data breaches that we have seen here are actually rudimentary data theft and not sophisticated data breaches - at least the ones that Kroll has been called for. Kroll's experience in the UK and the US is more with companies housing huge amounts of data, like banks, retailers, etc, where we have seen much more sophisticated IT aspects to data theft.
We haven't seen any major data breaches yet in India. So far it's been on a small scale with nothing on the same level as a Sony or Home Depot. But as the market grows and consumers becoming more aware, this issue is set to become critical. The cyber issue currently is much more of an urban issue, and not very sophisticated at that.
Breach Preparation Mindset
HARAN: When you interact with the industry and when the cyber risk piece comes up, what are the key themes and challenges that you find being repeated?
KHURANA: If we speak about our big customers in India, I believe they don't think about it as much as they should. Whether you are talking about banks, IT companies or retailers - the attitude is still very much that we will think about it when there is an issue. It's not front and center. The reason I say this is that when a breach does occur, it's usually very surprising how simple it is.
For example, in one instance, a phone call was made to the HR department of a company of 500,000 individuals. Posing as an executive from within the organization, the caller asked a junior HR executive to send across a zip file with details of all the employees, including addresses and phone numbers. That's how rudimentary it is. When you look at it, it doesn't strike you as a big IT coup.
But then when you dig deeper you realize, a) how does one person have access to the details of all 500,000 employees? b) How can they email this data without any kind of approval process? And c) Why did the IT systems not pick up the fake email coming in or the data going out? The lapse here is at the HR level, the process level and IT.
HARAN: Otherwise known well in Information Security as PPT or people, process and technology?
KHURANA: Yes exactly. Data breaches are not just an IT problem in India. Usually there is a human element and some sort of process lapse.
Data theft is often a laborious process and takes place over a period of time. In another example, we have a major bank that is our client that has sophisticated systems for tracking access to systems and the flow of data in their IT infrastructure. In this case, the perpetrator was taking pictures of the computer screen with a cellphone and compiling it over time.
It's not the norm that someone zips into your systems and makes away with a 100k records. It's often someone junior with very limited access to data, who exfiltrates data over a period of time in a methodical fashion. We see this a lot, and this trickle effect makes it much harder to catch because your IT monitoring systems don't catch it, and these are people who don't have access to full or complex datasets, but can assimilate pieces of this data over a long period of time.
HARAN: So what happens to this data once it is stolen? How organized is the underground data market in India?
KHURANA: I think data theft in India has been going on for a long time, and over time the black market for data has grown more sophisticated. An interesting aspect of this data theft is what happens to the data after it's stolen. In the west, we see that because criminals can get access to finished or sophisticated data, it can be used quickly, so identity theft is a huge issue. In India what we see is the data usually goes through several layers of packaging and re-packaging with new things being added to it, the data being cleaned, or cut and sold to different people as needed.
This segment is well organized, and we have seen the most creative use of data in disciplines as spread out as recruitment, marketing, tele-fraud and others. The challenge is that companies have no idea that their data can be used in such creative ways. You'd be amazed at the quality of these datasets - there is a huge market out there, and depending on your requirement, everything is available from credit card numbers, with or without CVV, names, telephone numbers -- the lot.
The somewhat disorganized and low-level nature of this data pilferage means that when you shut down one operation, five others crop up - much like our experience with fighting counterfeiting of goods in India and China in the last decade.
HARAN: Are Indian organizations really concerned about liability if a breach takes place? How important do you think the breach disclosure piece is going to be in India?
KHURANA: The primary fallout from such breaches is to reputation and the brand, even in India. With the lack of mandatory breach notification, reputation is the only thing that is making Indian banks call us. Because, otherwise, they are not really being held accountable under law.
In my experience, the cumulative financial losses from frauds are not large at all. The reason organizations are taking any action - at least the proactive ones - is because consumer awareness is going up and with increasing e-commerce and internet penetration.
I think breach disclosure is very important as our lives move more online and as transactions become credit card driven or cashless. This is the key difference right now between India and the west. I think retailers are hugely vulnerable. But, again, organized retail in India is not so large. Organized retail entities in India cannot be compared to a Target or a Home Depot, but this is changing.
More and more nontraditional businesses are going to own or hold data, and that's when the vulnerability in the market is going to increase. So it is not very far when things like breach disclosure are going to start gaining serious traction.