scorecard
  1. Home
  2. tech
  3. BSNL revealed a customer's private data on Twitter to answer query

BSNL revealed a customer's private data on Twitter to answer query

BSNL revealed a customer's private data on Twitter to answer query
Tech4 min read
BSNL showcased negligent behaviour on Twitter by sharing a customer's information publicly without regard for the consequences. The client wished to enquire where their recharge amount has disappeared, to which BSNL responded by posting his usage script on the platform.

Not only did this include his phone number and recharge amount, but the types of services and timestamps as well.

Source: Reddit

BSNL has already been under pressure with regards to privacy after Baptiste Robert, with the alias Elliot Alderson on Twitter, hacked into a multitude of BSNL websites. He apparently took advantage of a number of severe flaws in the company’s intranet to get complete details about 47,000 BSNL employees.

First thing first, I want to thanks @BSNLCorporate for their cooperation and their reactivity. All the issues below have been disclosed to them privately and fixed during the weekend. I hope they will take the appropriate actions internally. pic.twitter.com/xSB5nzqZtF

— Elliot Alderson (@fs0c131y) March 4, 2018 ]]>
The tweet is no longer visible but that doesn’t take away from the callousness what the incident.


They deleted their tweet with the customer info. Thank you @BSNLCorporate.

By denouncing, RT and like this kind of irresponsable behavior, we will create this needed change. https://t.co/h20TCIOEIP

— Elliot Alderson (@fs0c131y) March 7, 2018 ]]>

The BSNL story

Robert shared that he had informed BSNL of their security issues and informed them that their subsidiary websites intranetuk.bsnl.co.in and intranethr.bsnl.co.in had been subject to ransomware. This oversight happened despite Sai Krishna Kothapalli, informing BSNL about the same problem two years prior to Robert’s follow-up.

There were two more incidents where BSNL’s security was compromised, albeit not as severe. The first, where their real-time bandwidth monitoring system was available publicly and second, where directories of BSNL documents were accessible on the web for anyone to see.

Robert was able to get his hands on the names of all the employees by gaining access to BSNL’s intranet by using a malicious code. Through that, he was able to attain their personal information like cell phone numbers, dates of birth, salaries and compensation.

The state-owned telecommunications company issued a statement saying, “BSNL, being one of the largest Telecom Operators in India, is fully prepared to prevent any data loss related to its employees, customers or stakeholders.”

Lapse data protection

This is not the only vulnerability in the network of publicly owned online portals in the country. Robert had also informed the Bengaluru City Police, Telangana government as well as the Punjab Police about the gaps in their security.

#Telangana state responds to the security flaw on #NREGA beneficiaries website pointed by @NewIndianXpress by saying site was old and not in use since 2014. The site was operational and was being updated, as recently as August 1 , 2017 proof attached. https://t.co/YVxZfLy3Ic

— Mithun M Kutty (@mithun_tnie) March 2, 2018 ]]>

A report by the Indian Computer Emergency Response Team (CERT-In) shows that in 2017 alone, there were a whopping 53,081 cyber security incidents. The National Crime Record Bureau (NCRB) has reported that there have been a total of 12,317 cyber crime cases registered in 2016.

As of now, India doesn’t have any laws that explicitly address data protection or privacy. Even the Indian Constitution doesn’t unequivocally grant the “right to privacy.” The Indian IT Act 2000 does cover civil and criminal penalties for disclosure and misuse of personal data, but has largely been negligent in implementing their policies and maintaining a reasonable environment of security. This has resulted in criminals taking advantage of loopholes in the system.

BSNL isn’t alone

With respect to mobile service provides, Reliance Jio and Bharti Airtel have also faced scrutiny for not being diligent about their security practices. Just last year, Jio was the victim of a data leak, where they first claimed that the information was unsubstantiated and later filed a report with the authorities. Their findings exhibited that it was a case of ‘unauthorised access’ rather than ‘theft’. Nonetheless, the leak contained information that was sensitive, such as Aadhar card numbers and PAN details, pertaining to Jio customers.



Source: lalluram.com

Airtel, on the other hand, was opening Airtel Payments Bank accounts for their customers without their ‘informed consent’. After users conformed to Aadhar-based SIM verification, it was found that even their LPG subsidies were being directed into the Airtel bank without them having any idea about it. This resulted in the Unique Identification Authority of India (UIDAI) suspending Airtel’s e-KYC license temporarily.

Today’s incidence is only a small part of the larger predicament faced by the Indian government. The MeitY had invited comments on its white paper draft back till January 2018. The paper attempts to answer questions on privacy and data protection, but whether it is turned into law is yet to be seen.

READ MORE ARTICLES ON


Advertisement

Advertisement