Not only did this include his phone number and recharge amount, but the types of services and timestamps as well.
Source: Reddit
BSNL has already been under pressure with regards to
First thing first, I want to thanks @BSNLCorporate for their cooperation and their reactivity. All the issues below have been disclosed to them privately and fixed during the weekend. I hope they will take the appropriate actions internally. pic.twitter.com/xSB5nzqZtF
— Elliot Alderson (@fs0c131y) March 4, 2018 ]]>They deleted their tweet with the customer info. Thank you @BSNLCorporate.
By denouncing, RT and like this kind of irresponsable behavior, we will create this needed change. https://t.co/h20TCIOEIP
The BSNL story
Robert shared that he had informed BSNL of their security issues and informed them that their subsidiary websites intranetuk.bsnl.co.in and intranethr.bsnl.co.in had been subject to ransomware. This oversight happened despite Sai Krishna Kothapalli, informing BSNL about the same problem two years prior to Robert’s follow-up.
There were two more incidents where BSNL’s security was compromised, albeit not as severe. The first, where their real-time bandwidth monitoring system was available publicly and second, where directories of BSNL documents were accessible on the web for anyone to see.
Robert was able to get his hands on the names of all the employees by gaining access to BSNL’s intranet by using a malicious code. Through that, he was able to attain their personal information like cell phone numbers, dates of birth, salaries and compensation.
The state-owned telecommunications company issued a statement saying, “BSNL, being one of the largest Telecom Operators in India, is fully prepared to prevent any data loss related to its employees, customers or stakeholders.”
Lapse
This is not the only vulnerability in the network of publicly owned online portals in the country. Robert had also informed the Bengaluru City Police, Telangana government as well as the Punjab Police about the gaps in their security.
#Telangana state responds to the security flaw on #NREGA beneficiaries website pointed by @NewIndianXpress by saying site was old and not in use since 2014. The site was operational and was being updated, as recently as August 1 , 2017 proof attached. https://t.co/YVxZfLy3Ic
— Mithun M Kutty (@mithun_tnie) March 2, 2018 ]]>A report by the Indian Computer Emergency Response Team (CERT-In) shows that in 2017 alone, there were a whopping 53,081 cyber security incidents. The National Crime Record Bureau (NCRB) has reported that there have been a total of 12,317 cyber crime cases registered in 2016.
As of now, India doesn’t have any laws that explicitly address data protection or privacy. Even the Indian Constitution doesn’t unequivocally grant the “right to privacy.” The Indian IT Act 2000 does cover civil and criminal penalties for disclosure and misuse of personal data, but has largely been negligent in implementing their policies and maintaining a reasonable environment of security. This has resulted in criminals taking advantage of loopholes in the system.
BSNL isn’t alone
With respect to mobile service provides, Reliance Jio and Bharti Airtel have also faced scrutiny for not being diligent about their security practices. Just last year, Jio was the victim of a
Source: lalluram.com
Airtel, on the other hand, was opening Airtel Payments Bank accounts for their customers without their ‘informed consent’. After users conformed to Aadhar-based SIM verification, it was found that even their LPG subsidies were being directed into the Airtel bank without them having any idea about it. This resulted in the Unique Identification Authority of India (UIDAI) suspending Airtel’s e-KYC license temporarily.
Today’s incidence is only a small part of the larger predicament faced by the Indian government. The MeitY had invited comments on its white paper draft back till January 2018. The paper attempts to answer questions on privacy and data protection, but whether it is turned into law is yet to be seen.