Data breach at Religare

According to a firm called ‘Cyble’, insurer Religare has been affected by a data breach.

Cyble claims that the list of data exposed includes: Customer’s name, address, mobile number, email id, date of birth (dob); customer’s ID, policy number, start date, end date, agent assigned; name of the policy, sum insured, renewal amount; and employee /agents full names, mobile numbers, dob, usernames, password hashes, individual authorisation keys, official email IDs, email signatures having office address and personal mobile numbers, last login and logout, internal IP address through which they connected to the portal.

I checked on their site ‘amibreached.com’, but it looks a bit shady in that it requires users to pay for more information and I stopped at that.

I am a Religare customer, and have yet to receive any information from them that this has happened. I’m interested to see how they respond to this but don’t have high hopes. I’m sure a lot of confidential data is accessible using employee logins (most of them will probably use insecure passwords).

Are there any laws governing this in India?

5 Likes

There have been many instances of data breach that occurred during recent times. The University of Delhi also suffered a massive data breach (affecting thousands of UG and PG students of almost all colleges and departments) that leaked personally identifiable information including but not limited to: University Roll Number, University Enrollment Number, Name, Parents’ Names, Gender, Address, Phone Numbers, Date of Birth, College, Course, Semester, Attendance Records, Academic Transcripts, Mode of Transportation, Aadhaar Number, Bank Account Number and Branch, Electors Photo Identity Card Number.

I would also like to know more about the relevant laws governing this (if any).

3 Likes

Nope. At least not in the sense the US, or the EU does where the breached company has a duty to comply with, inform, and investigate.

2 Likes

I see. Thanks for the information.

Folks, will it be of help if IFF creates a how to report a data breach guide?

6 Likes

How to report a breach for a company or as a consumer?

Either way, it might be helpful. If it’s a guide for companies, it’s not anywhere as effective without enforcement but it’s good to have a framework in place so that there is a reference at a later, more enlightened, point in time.

1 Like

Currently, entities like Religare do not have any obligation to notify individuals about data breaches. The Personal Data Protection Bill, 2019 also falls short on this aspect because it grants the Data Protection Authority discretion to determine whether the end user needs to be notified about a data breach.

We have previously covered a similar breach of health data records which happened last year and led to a lawsuit against the security researcher who reported the vulnerability: https://internetfreedom.in/security-researchers-need-legislative-protection-from-vexatious-lawsuits/

4 Likes