- Data theft of customer records from financial institutions is a serious and growing problem in India, with records being sold online for less than $0.01 each. Customer data is often not well protected and is spread across many different systems with broad access.
- Regulatory frameworks and enforcement are still weak, and many organizations do not prioritize data protection. Comprehensive solutions require changes to policies, processes, oversight of vendors, access controls, encryption, and other technologies. Stronger laws and regulations may also be needed to curb the problem.
Scaling API-first – The story of a global engineering organization
Data theft in india (K K Mookhey)
1. Data Theft in India
- Seedhi baat, no bakwas
K. K. Mookhey, Principal Consultant
CISA, CISSP, CISM
2. Speaker Introduction
Founder & Principal Consultant
Network Intelligence
Institute of Information Security
Certified as CISA, CISSP and CISM
Speaker at Blackhat 2004, Interop 2005, IT Underground
2005, OWASP Asia 2008,2009
Co-author of book on Metasploit Framework (Syngress),
Linux Security & Controls (ISACA)
Author of numerous articles on SecurityFocus, IT Audit, IS
Controls (ISACA)
Over a decade of experience in pen-tests, application
security assessments, forensics, compliance, etc.
3. Agenda
What’s the ground reality
Recent news
Financial institution data theft explored
Challenges
Solutions
Conclusion
13. Less than 1 cent per record!
http://www.jobstiger.com/emaildatabaseindia.html
http://www.kumudhamwebtech.com/
http://hyderabad.olx.in/38-lakh-stock-market-traders-
dmat-account-holders-database-44000-sub-brokers-iid-
106295300
http://www.ebusinessindya.biz/
http://www.mobiledataindia.com/
http://www.gsquare.biz/data.html
14. Fresh record price = Rs. 75
Converted customer price = Rs. 150
View from the trenches…
15. Pick an industry, pick a company
Large business house gets into the financial services
industry with a big bang
But slightly late in the game
Huge marketing blitz, offices opened nationwide
Aggressive marketing, huge ad spends
Customer base widens
Assets under management bloats
In a couple of years, they’re within the top 5 private
insurers, equity trading companies, and mutual funds!
However…
16. Data all over the place…
Specific mutual fund purchase records available for a price
Customers get calls just before their fund payments are
due
Customers get calls to switch funds
Specific data available:
Customer name
Cover amount
Investment amounts
Fund details
Personal information
Expiry dates
And more…
20. Where is the customer data? – Equity
Trader Example
Primary Trading system
CRM
Business Intelligence system
Compliance Reporting system
Backups
Password Reset system
Excel
Flat files
USBs
Shared folders!
21. Who has access to it?
Front-office
Back-office
IT
Research
Customer service
Vendors
KYC
Call Center
Direct Sales Agents (Devil’s in-Security Agents)
DPs
Registrars
Settlement
Finance & Accounts
Cleaning Staff??
23. Weak regulatory framework
Unless someone serious starts kicking some serious ass,
nothing’s going to change…
RBI
SEBI
AMFI
But what about?
IRDA
TRAI
•UID?
•Healthcare??
•Pharma??
•FMCG??
•Retail??
•Government????
24. Government’s role
No comprehensive national consciousness on data
protection
Data protection efforts not cohesive – don’t address all
industries
Government endorses data theft and invasion of privacy?
Niira Radia tapes
Blackberry controversy
…
25. Business comes first!
Sell more!
Expand market share!
Heavy reliance on limited number of
outsourced vendors
Weak mechanisms to oversee data protection
by vendors
Vendors don’t care…
26. When things do end up in court…
Judge: IT?!?
Senior Counsel: Well…umm…err…you see this is under
Section 66 of IT Act because, well…err…
Junior Counsel (whispering): Sir…we need to get imaging
done…not sure what that is, but the “cyber expert” we
hired told us to do this
Judge: Please continue!
Senior Counsel: Sir we need a forensic investigation done
Judge: What is that?!? Okay, seal the website!
Court-appointed Commissioner: Yes sir, but kindly clarify
who pays my fees?
29. Solutions
Technologies
Encryption
Data Leakage Prevention
Information Rights Management
Database security solutions
Audit/Log Management
Stronger regulations
Stronger laws or stronger enforcement of existing laws
Mindset change
Data protection does matter!
It is NOT a technology issue
Policy and process frameworks must be implemented
ISO 27001 is not the answer
31. Summary
It is an epidemic, and it is getting worse!
When Big Brother wields the stick, then things
begin to happen – fines, penalties, court cases
Back to basics approach – thorough risk
assessments!
Identity and access management
Technologies help, but it has to begin with PPP
– Policy, Process, People
Innovative audit/forensic techniques
32. Thank you!
Questions / Queries
K. K. MOOKHEY
kkmookhey@niiconsulting.com
NETWORK INTELLIGENCE INDIA PVT. LTD.
www.niiconsulting.com