How India's loose data privacy laws open the door to hackers

Aanchal Sudhakar, a resident of Gurugram, has yet to figure out how a scammer got her phone number.

A few weeks ago, she received a call from a person impersonating a supplier at her husband's office. He asked Sudhakar send to him 15,000 rupees (€180, $197) through PayTm, a payment app. 

According to ZoomInZ0D, a Mumbai-based "ethical hacker," scammers mine information from various sources.

"The real name of the user can be identified from email IDs. A legitimate-looking fake WhatsApp message asking for phone numbers, email IDs or even addresses can do the trick. Information can also be mined from Google forms," warned ZoomINZ0D.

Subscribe to Corona Compact — DW's newsletter tracking coronavirus in Asia

India still doesn't have a comprehensive data privacy law to protect people's personal data. The Personal Data Protection Bill — the first attempt at securing people's data — is currently being debated in the Lok Sabha (lower house of parliament).

The bill will regulate how personal data of Indian citizens is used by the government, law enforcement and companies, said Shruti Agarwal, an advocate-on-record with the Supreme Court of India.

In 2019, the Indian government approved an ordinance, allowing people to voluntarily use their official government-issued IDs as proof of identity for certain essential services such as opening a bank account.

However, this ordinance also allowed digital payment companies such as PayTm and Amazon Pay to ask for official identification details. Some users were notified that they would lose access to certain services if they didn't share data.

Read more: Credit card cloning on rise in India amid Narendra Modi's cashless push

How companies use data 

According to Garima Das, a New Delhi-based tech policy analyst, companies can unlock commercial value from personal data that people share like photos, videos and GPS activity by making it "anonymous" and removing identifiable information.

Hackers can then break into a company's database or procure the data from an employee.

According to Harshil Mathur, CEO of Razorpay, one of India's leading full-stack financial solutions companies, businesses have safeguards in place to tackle all kinds of fraud.

"As a payment gateway, our key responsibility is to protect the merchants from any kind of online payment fraud," Mathur told DW, adding that a "risk engine" keeps track of IP addresses, card issuer locations and blocks suspicious payments.

"Throughout this process, we take appropriate measures to ensure that no data is ever shared with any third party," Mathur said.

Read more: India's top court curbs use of world's largest biometric scheme

Banks often targeted

Anil Kumar, an assistant sub-inspector at a "cyber police" station in Gurugram, said that the personal data of some Indians is already available for sale on the dark web.

"Fraudsters can get your number owing to your carelessness too," Kumar explained. "For example, if you write your phone number or email address on a feedback form at a restaurant — you're putting up your data for theft. Data can be leaked on WhatsApp, too."

According to Rahul De, a professor at the Indian Institute of Management (IIM), information is mainly stolen to commit financial fraud.

"If you compare the number of instances of fraud, it's mostly theft of money. Banks are getting ripped off more than individuals," he told DW.

"A common kind of theft is where the scammers try to get your one-time password (OTP) during a transaction. This scam is rampant all over the country, driven by some gangs in Jharkhand. A person's mobile number can be easily procured from mobile shops. On many instances, a shop selling SIM cards also has a tie up with these criminals," he added.

Read more: India's privacy ruling casts dark shadow over Aadhaar ID scheme

Data security during coronavirus lockdown

As the COVID-19 lockdown is set to continue in India, the digital payments sector will be expected to record more growth, as more people are currently buying online. Digital payments constituted a whopping 72.5% of the total 2.2 billion transactions in India during the first two weeks of the coronavirus lockdown. This will increase instances of data piracy as scammers will find new ways to con people.

Some people have been receiving notifications resembling official communications from banks, offering a loan moratorium.

The problem of data piracy has exacerbated with the launch of the Aarogya Setu app. The mobile app, created by the Ministry of Electronics and Information Technology, helps people identify if they are in proximity to someone who has tested positive for COVID-19.

The app has seen over 10 million downloads since its launch earlier this month. However, whether the data the app collects is safe from hackers is a question that remains unanswered.

India has a history of hackers cracking into its critical databases and the Aarogya Setu database, if hacked, can put personal information, such as name, age, foreign history travel and health stats, in the hands of the wrong people.

"Since the app has been developed by the government, it will get a lot of attention from hackers. It is very difficult to track every single activity of an application user. Data is only safe when it's in the user's hands. Otherwise, it gets misplaced, lost or stolen," said ZoomINZ0D.

Read more: Is WhatsApp a threat to India's security?