Cyble claims that the list of data exposed includes: Customer’s name, address, mobile number, email id, date of birth (dob); customer’s ID, policy number, start date, end date, agent assigned; name of the policy, sum insured, renewal amount; and employee /agents full names, mobile numbers, dob, usernames, password hashes, individual authorisation keys, official email IDs, email signatures having office address and personal mobile numbers, last login and logout, internal IP address through which they connected to the portal.
I checked on their site ‘amibreached.com’, but it looks a bit shady in that it requires users to pay for more information and I stopped at that.
I am a Religare customer, and have yet to receive any information from them that this has happened. I’m interested to see how they respond to this but don’t have high hopes. I’m sure a lot of confidential data is accessible using employee logins (most of them will probably use insecure passwords).
There have been many instances of data breach that occurred during recent times. The University of Delhi also suffered a massive data breach (affecting thousands of UG and PG students of almost all colleges and departments) that leaked personally identifiable information including but not limited to: University Roll Number, University Enrollment Number, Name, Parents’ Names, Gender, Address, Phone Numbers, Date of Birth, College, Course, Semester, Attendance Records, Academic Transcripts, Mode of Transportation, Aadhaar Number, Bank Account Number and Branch, Electors Photo Identity Card Number.
I would also like to know more about the relevant laws governing this (if any).
How to report a breach for a company or as a consumer?
Either way, it might be helpful. If it’s a guide for companies, it’s not anywhere as effective without enforcement but it’s good to have a framework in place so that there is a reference at a later, more enlightened, point in time.
Currently, entities like Religare do not have any obligation to notify individuals about data breaches. The Personal Data Protection Bill, 2019 also falls short on this aspect because it grants the Data Protection Authority discretion to determine whether the end user needs to be notified about a data breach.