Plea seeking Investigation into Data breaches at Mobikwik, Big Basket, Dominos & Air India, "leaked data available on Dark Web": Delhi HC tells Centre's Counsel to get instructions

Read Time: 06 minutes

The Delhi High Court has asked the Central Government's Counsel to seek instructions in a plea which has prayed for directions upon Computer Emergency Response Team India (CERT-IN) to initiate investigation into purported large scale breaches in data by Dominos, Big Basket Mobikwik & Air India.

A bench of Justice Rekha Palli took up the plea today, filed by the General Secretary of Free Software Movement of India which is a national coalition of various regional and sectoral free software movements which claims that the breaches have compromised sensitive personal and financial information of millions of users of these services

The CERT-In is mandated under Section 70B of the IT Act, 2000, which is the nodal agency operational since 2004 for responding to computer security incidents as and when they occur. It is averred that the CERT-In mandate under the law of land lays down that the acknowledgement of grievances and redressal thereon, within one month of such receipt.
The petitioner has claimed that it wrote to the Authority on 4 different occasions but did not receive any response.

The plea states,

"The said breaches constitute threats to physical and financial safety of users of these services. The address data, emails, contact numbers, financial details - credit and debit card details, KYC details leak pose a grave threat to security of users. Since there is no law governing data protection in India as of now. Thereby, the aggrieved users do not have any legislative recourse against such breaches. Therefore, an investigation and review by CERT-In on frequent data breaches at mass level becomes important to safeguard the privacy of users."

Justifying the impleadment of Ministry of Electronics and IT, the petitioner states that it is "nodal ministry for promoting e-Governance empowering citizens, promoting the inclusive and sustainable growth of the Electronics, IT & ITeS industries, enhancing India’s role in Internet Governance, adopting a multipronged approach that includes development of human resources, promoting R&D and innovation, enhancing efficiency through digital services and ensuring a secure cyberspace."

Quoting from sources in the news, the plea states that there was a major cyber security incident at Big Basket (M/S Innovative Retail Concepts Pvt Ltd) and that cyber intelligence firm Cyble has reported around 20 million Big Basket users data has been breached and are available for sale on Dark Web.

Similarly, the plea states another report suggests leaks of 100 million users of Mobikwik based on a database portion of phone numbers, emails, hashed passwords, addresses, bank accounts and card numbers and other KYC details etc.

"The size of the breached database is about 8.2 TB. This data is available on the Dark Web," it adds.

For Dominoes leaks, 180 million order details and 1 million credit card details of Domino’s users have been breached, the plea states and data of 4.5 million users of Air India was leaked, now available on Dark Web.

Plea filed through Advocates Prashant Sugathan, Prasanna & Yuvraj Singh Rathore 

Case Title: YARLAGADDA KIRAN CHANDRA Vs. UNION OF INDIA