This report analyzes data breaches and privacy issues in Nepal during the COVID-19 pandemic. It discusses several high-profile cases where hackers accessed and leaked personal information from major organizations, including food delivery service Foodmandu, internet provider Vianet, money transfer service Prabhu Money Transfer, and government websites. The report argues there is a lack of awareness and proper implementation of privacy laws in Nepal, as well as insufficient cybersecurity practices among many organizations. Improving cybersecurity culture and legal protections for personal data is needed to address the ongoing risks of data breaches during the pandemic.
Report on data breach and privacy in nepal during covid19 by shreedeep rayamajhi
1. Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 1
2. Summary
The present crisis situation of COVID19 has pressured different sectors with various issues and
challenges directly affecting the technological and physiological behavior of users. These behavioral
and psychological changes are subjected to the values and condition of individual users and their
presence of mind. This has hugely impacted and questioned the current status of Cyber security
situation in developing nations. This report is subjective to the case study done in context of Nepal
during the COVID19 where the number of cases of data breach and hacking extensively increased.
Data Breach and Privacy are two sides of a coin. Data in technical terms represent the series of
numbers or sequences of variables which needs an algorithm or program to be processed and
breaching means using tools for unauthorized access of information without consent where as Privacy
is a fundamental right of safeguarding personal information related to a person or individual. With the
limitation of knowledge and capacity, currently developing nations are struggling to differentiate
between the ongoing data breach and data protection issue where personal information of users are
stolen and are posted in open forums in regards to the neglected and unsecured system.
The hackers blame it to the private companies and the companies blame to the government
showcasing a lack of infrastructure and policy. Despite the fact that there is “Privacy Act” which has
been legally adopted in Nepal, the citizens of Nepal have not been able to understand and adopt its
use. If you look at the current situation there is a gaps of awareness of Privacy Act and its enactment.
Even at government level where personal information of citizen are openly shared in different official
website of the Nepal Government in the name of communication.
Looking at the local culture, technology is upgraded but when it comes to securing the system, the
organizations opt for cheaper options and the system is compromised. The basic problem is the
culture of underestimating importance of people’s information and undue valuation of system
security. It’s the culture vs the behavior where most of the time, system is compromised in lack of
values and evolves into a greater nuisance of Cyber hygiene in individual behavior.
The recent data breaches cases highlight a wide range of scenario and scope of Cyber security position
of the country especially at times of crisis. At organizational level more hackers are attacking the value
chain system where as in individual level various phishing and malware are targeted.
Data Breach is a dynamic topic which has no radical solution except improving the values and culture
of an organization. A lot of the times the problems comes from security laps and carelessness that
happens due to ignorance. The problem that is currently seen during the COVID19 crisis may be
differential to time and situation but more or less in context of the Cyber security, it is part of the
strategy of utilizing the loop hole left behind with the value chain system. At this time of crisis
especially in developing nations the problem of data privacy and data protection has become a greater
issue. In most of the developing countries Data Privacy law has been pushed due to the enactment of
the GDPR but significantly the launching has not change the attitude of the government and people.
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 2
3. According to Google, “Our systems have detected 18 million malware and phishing Gmail messages
per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages.
Our machine learning models have evolved to understand and filter these threats, and we continue to
block more than 99.9 percent of spam, phishing and malware from reaching our users.”
Cyber security has evolved as a major challenges in developing nation in terms of practice and
definition. The standard definition may defines a systematic approach of procedure and series of tasks
to be performed but a lot of the time, it demands intuitiveness and promptness. Likewise, in today's
world of technology, everything is changing. With this change the definition and practice of Cyber
security is also changing and adaptation user behaviors and safeguarding people’s interest in the most
effective and efficient way.
PRIVACY VS DATA PROTECTION
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 3
4. Current Law in Nepal
Privacy Act of Nepal
Chapter-6, Privacy Relating to Data
Article 12 To have privacy of data:
(1) Every person shall have the right to keep the personal data or details related to him or her
confidential.
(2) While collecting personal or family data of any person, his or her consent shall be obtained.
(3) The data collected by a public body or body corporate upon obtaining the consent of the
concerned person shall be used only for the purpose for which such data have been collected.
Provided that if any data are demanded for the national security or peace and order, it shall not be
deemed to bar to provide such data in accordance with the prevailing law.
Link: http://www.lawcommission.gov.np/en/archives/20704
Chapter-10 Collection and Protection of Personal Information
Article 25 Protection of collected information:
(1) The personal information that has been collected by any public body or remained under the
responsibility or control of such a body shall be protected by such body.
(2) For the purpose of sub-section (1), the public body shall have to make appropriate arrangement
against unauthorized access likely to occur to personal information, or against the possible risk of
unauthorized use, change, disclosure, publication or transmission of such information.
(3) Notwithstanding anything contained elsewhere in this Section, the public body may disclose or
get any personal information disclosed under the prevailing law.
Not to use personal information without consent: (1) Except in the following circumstances, the
personal information collected by or remained under the responsibility or control of a public body or
body corporate shall not be used or given to any one without the consent of the concerned person:
(a) It has been published or distributed for the purpose of which the personal information has
been collected,
(b) If demanded in written form, in the course of investigation or prosecution of a criminal case,
by the official authorized for making such investigation or prosecution,
(c) If an order is made by the court in the course of taking action on a sub-judice case,
(d) If question is to be solved, when it is raised about the qualification or any other matter of the
person, who is holding a public post under the prevailing law,
(e) If the authorized official demands for any particular kind of information in written form, in
order to solve the question raised on any particular matter.
Link: http://www.lawcommission.gov.np/en/archives/20694
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 4
5. Foodmandu App Hacking
Issue Personal Information
Cyber Security Issue Hacking | Data Breach | Data Privacy |
No of Victims 50,000
March 8, 2019, Foodmandu, an e-commerce
company providing on-demand food
delivery service across Kathmandu valley
encountered data breach on Saturday night.
According to a statement released by the
company on Sunday, they detected a cyber-
attack by a hacker which resulted in
unauthorized access of customer data.
Names, mailing addresses, email addresses
and phone numbers of the users were
exposed to cyber attack, according to CEO
Nidhaan Shrestha.
A Twitter handle by the name of Mr. Mugger
revealed the dump of data of 50 thousand Foodmandu users and also disclosed the link associated
with the data.
Foodmandu, on the other hand, informed that they fixed the loophole in their web application
immediately after the incident was noticed.
They further stated that they are in regular contact with the Cyber Crime Division and also requested
for the security of the dumped data.
Claiming that there is no impact on their commercial operations, Foodmandu in the statement
assured to resolve the issue at the earliest.
Link: https://myrepublica.nagariknetwork.com/news/foodmandu-s-website-hacked-50-thousand-
users-data-dumped/
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 5
6. Kathmandu Press Website Unauthorized Access:
Issue Privacy | Unauthorized Access
Cyber Security Issue Unauthorized Access | Hacking | Press Freedom | Data Privacy |
No of Victims 1
April 02, KATHMANDU: Online news portal Kathmandu Press [kathmandupress.com] today issued a
statement regarding the unauthorised removal of a published content on their website on Tuesday
evening.
The news outlet’s Chief Editor Kosmos Biswokarma says their team started receiving a volley of
responses after publishing a report on involvement of Defence Minister and Prime Minister’s Chief
Advisor’s sons in expensive medical equipment procurement deal. “On Wednesday morning, we
received a call from Biswas Dhakal and Subhash Sharma from F1Soft, a parent company of Shiran
Technologies who manage the development and design of our website. They asked us to remove the
report stating there’s immense pressure from ‘above’,” Biswokarma says in the statement.
According to the Editor, they explained to Dhakal and Sharma that a published content cannot be
taken down but the parties that have issues with the content or have to refute the claims can send a
written dissent response. Later at 10:30, they received a call from Shiran Technologies to remove the
content. The team warned the developers to not mess with their site, however, despite the warning,
the report was taken down.
“We tried contacting Biswas Dhakal, Subhash Sharma and Prajwal Maharjan many times after that but
to no avail.”
Instead of restoring the removed item, the developers jammed the site for almost two hours between
2:00-4:00 pm on the same day, according to the statement. “They finally allowed content upload on
being warned with a legal action.
“This is perhaps the first instance wherein the web-developers have taken the liberty to remove a
published content from the news portal,” Biswokarma says in the statement.
Kathmandu Press says it has taken this act as a move to control media and an attack on press freedom.
The laws are clear on measures to be taken if someone does not agree to a published report. “We are
ready to correct ourselves or face action if our content is misleading or incorrect,” the portal said
adding, “we are now consulting with legal experts on how to move forward in this matter.”
Link: https://thehimalayantimes.com/kathmandu/kathmandu-press-issues-statement-on-
unauthorised-content-removal/
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 6
7. Vianet Website Hacked
Issue Personal Information
Cyber Security Issue Hacking | Data Breach| Data Privacy |
No of Victims 160,000
KATHMANDU, April 9: In yet another breach of customer data, Vianet Communications – one of the
largest internet service providers in Nepal – suffered a 'serious hack' on Wednesday. Data belonging to
more than 160,000 consumers was leaked by a hacker through Twitter.
This is the second such data breach incident in a month. Data of Foodmandu – a popular e-commerce
food delivery service – was breached by hackers exactly a month ago.
On Wednesday, data was leaked by a twitter handle @paapi_kto_mah attaching a link, where the
personal data of more than 160,000 Vianet users was made public. The data included emails, phone
numbers and addresses.
“The data of more than 160,000 users has been compromised. We [Vianet] found out about the
situation today [Wednesday] afternoon,” Binay Bohra, managing director of Vianet Communications,
told Republica, adding that the company has already informed the Cyber Bureau of Nepal Police.
The company also informed that hackers had started to dig the consumer data from Tuesday.
“The incident is similar to the hacking of a food delivery company a month ago. It is not clear the
Vianet data was compromised by the same group,” said Bohra, adding that Vianet is also investigating
the incident.
Bohra confirmed that personal information of consumers including phone numbers, addresses and
email addresses were made public by the hackers. “The link shared by the hackers has already been
taken down with the help of Nepal Telecommunications Authority (NTA),” Bohra added.
Meanwhile, the company has accepted that it needs to make the system more powerful to better
secure users' information.
A month ago, a Twitter user going by the username Mr Mugger had leaked personal information of
almost 50,000 users of Foodmandu.
Meanwhile, the Cyber Bureau of Nepal Police informed that the company informed about the incident
late in the afternoon after several online portals broke the news. The cyber bureau said police have
already started investigations into the case.
Link: https://myrepublica.nagariknetwork.com/news/hackers-leak-personal-info-of-vianet-users/
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 7
8. Prabhu Money Transfer Attack
Issue Personal Information
Cyber Security Issue Hacking | Data Breach | Data Privacy
No of Victims 500
Kathmandu, 10 April,2020 The story has been
repeated again with Prabhu Money Transfer
being victim. A twitter handle Cyber_hell_god
today posted a tweet that said:After the
warning, the alleged hacker- as promised
tweeted a tweet from a new twitter id where
he has added a link which leads to the data
dump of around 500 users that includes IP
address, E-mail address, name, and phone
number. Looking at the user data it seems
those of the money senders and
recievers.However, there is no any official
response from Prabhu Money Transfer on this
data breach yet. So we can’t be sure that the
data leaked by the alleged hacker is 100% correct. All we can do now is wait for the official response
from Prabhu Money Transfer.
Such data breach cases have been increasing day by day. First Foodmandu, then Vianet
communications and now Prabhu Money Transfer have been the victim. As the alleged hackers say,
these companies need to work on increasing cyber securities. User’s data shouldn’t be treated useless
and stored inside a weak firewall.
Link: https://nepstuff.com/prabhu-money-transfer-user-data-compromised-after-a-leak/
TU engineering Website hacked
Issue Personal Information
Cyber Security Issue Hacking | Data Breach | Data Privacy |
No of Victims 406
April 10, 2020, Kathmandu, Nepal, SATAN (@satan_cyber_god), a twitter sensation hacker has leaked
data of Tribhuwan University Teachers and Staffs. Recently, through a Twitter handle with username
@satan_cyber_god, the hacker made public the names, departments and email addresses of teachers
of Tribhuvan University and CTEVT. Blood groups with their designations have also been made public.
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 8
9. The hacker has also warned CTEVT to
secure its data. He leaked data of 69
people through Pastebin. The link to the
Pastebin had been shared to Twitter.
Although the data of different
departments have been leaked, leaked
data contains data from Medicine
Department the most.Earlier, the hacker
claimed to have leaked the data of
Prabhu Money Transfer under Prabhu
Group as a demo data. The leaked data
included 406 people’s data including,
Name, Email Address, Phone Number and IP Address.The same person has also warned Nepali
Congress to secure its system else he’d leak the data along with donations received.
Link: https://ictframe.com/satan-leaked-data-of-tribhuvan-university-teaching-staffs/
SATAN: Leaking Government Websites’ Data And Threatening Others
Issue Personal Information | Login information
Cyber Security Issue Hacking | Data Breach | Data Privacy |
No of Victims unknown
After three days of unavailability on Twitter, SATAN
(@satan_cyber_god) tweeted a tweet yesterday. After
his return to Twitter, he started posting the website
bugs and warning them to fix it as soon as possible. He
also leaked the login credentials of some government
websites through his twitter handle.
He tweeted threatening Kantipur Daily, a pioneer news
media in Nepal. In his tweet, he stated that Firebase
JSON file’s permission is not set properly in Kantipur
Daily’s website. He added, if they don’t fix it, he has to.
In his other tweet, he informed Daraz that its site is vulnerable to XSS and possibly more attacks. He
then warned them to fix it soon else he would make them fix it.The things got worse when he tweeted
the picture saying he was in Mercantile’s system then. He challenged it to do whatever it wanted to
do. In case you didn’t know, Mercantile is the official registrar of .np domains. It registers all .np
domains.
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 9
10. After a short time, he again tweeted on the same case. He tweeted saying, “woops! Did i just got
access to each and every .np domains of Nepal?” In the same tweet, he uploaded the picture of the
database of .np domains.
Then, he retweeted the tweet of TechPatro, a tech news portal of Nepal, in which it had said that
SATAN was threatening Kantipur Daily, Daraz and Mercantile by saying that he didn’t threaten anyone.
He added he was just informing the companies before a black hat exploits the loopholes and harms
the website and was doing for fun. He then warned to think before posting such things
again.TechPatro responded to its tweet saying that he leaked CTEVT information which can harm a lot
of people and recent data breaches triggered phishing attempts to many Viber users recently. After
some time, TechPatro noticed a login attempt to its system with a fake IP address of Beijing.He then
added a photo saying, “See some more internal images of Nepal’s official domain registrar! GB’s of
data! But it’s all safe.”After some time, he shared the login credentials of some government websites
and asked if people still take him as a joke.The last tweet of the day threatened Nepal Electricity
Authority, an electricity supplier of Nepal. He said, “Nepal electricity authority <3 you will be notified
tomorrow!”. He added, “Thanks for the support! Hope we can bring the change together <3”. His
tweet ended with “ Operation #Justicefornirmala soon” which suggests people associated with the
Nirmala Pant rape and murder case are his next targets.
Link: https://ictframe.com/satan-leaking-government-websites-data-and-threatening-others/
Viber Attack Attempt
Issue Communication Attack
Cyber Security Issue Phising | Data Breach | Data Privacy |
No of Victims unknown
In recent days, the case of data breach and security threats is increasing in Nepal. With the growth of
digital trends and the adaption of digital technology in the country, the risk of a data breach is also
getting bigger. Data security has become one of the most needed things at the moment. Viber hack
has become widespread with the recent leaks and today we will be discussing the majors taken to
avoid such hacks.It has been reported that Viber users in Nepal are getting calls and SMS with
Verification Code and Verification Link. Some have reported that they are getting calls from unknown
foreign numbers starting with +33.Viber doesn’ send verification code or link until and unless you try
to activate the Viber account in the new device. When you activate your account on a new device,
Viber calls you as a verification call which ends in a certain time. Getting calls and messages fro the
numbers starting with +33 in an active device with an active account is suspicious. If you are getting
such calls or messages, you can be sure that someone is trying to hijack your Viber account and we do
not recommend you to receive such calls.
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 10
11. For the convenience of the Viber users, we have
gathered some techniques that hackers are trying to
exploit your account and you should avoid it.
Getting SMS that has a verification link or code from
an unknown number or even from Viber.
Getting calls from anonymous numbers from foreign
countries that usually starts with +33.
Randomly opening a QR scanner in your Viber App
which only executes when someone tries to access
your account from PC.
Avoiding your account from being exploited
As mentioned above that the link is incoming to your
account to get access to your account on PC. Those
links are authorization links that are pushed to your
smartphone from the user who tries to access your
account. Those links are valid for 30 minutes and if
you click the link, the login attempts by the
anonymous person will be authorized. Eventually, the
person gets access to your account and this might get
disastrous. We can avoid this situation by taking some precautions. If you are one of the victims of
these malicious activities, we request you not to respond to any of these activities. If you are already a
victim of such activities, then you can delete the data on your Viber account. Find the steps to follow
for protecting your data.
Link: https://www.nepalitelecom.com/2020/04/people-facing-viber-hack-attempts-data-leaks.html
Hundreds of millions of Facebook user records were exposed on Amazon cloud server
Issue Social Media Attack
Cyber Security Issue Phising | Data Breach | Data Privacy |
No of Victims 540 Million
More than 540 million records about Facebook users were publicly exposed on Amazon's cloud
computing service, according to a cybersecurity research firm. A report out Wednesday by UpGuard
said two third-party Facebook app developers posted the records in plain sight, causing yet another
major data breach for the world's biggest social network.
According to UpGuard, a Mexico-based media company called Cultura Colectiva was responsible for
the biggest leak. It exposed 146 gigabytes of Facebook user data, including account names, IDs and
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 11
12. details about comments and reactions to posts. It's unclear how many individual users had data
exposed.
Separately, an app called At the Pool exposed databases that appeared to include data about user IDs,
friends, photos and location check ins, as well as unprotected Facebook passwords for 22,000 users.
The app — which was meant to help people meet up for offline activities — shut down in 2014.
Facebook extends hate speech ban to include white nationalism
UpGuard said it alerted Cultura Colectiva and Amazon about the breaches from Cultura Colectiva in
January, but no action was taken until Wednesday morning. After Bloomberg reached out to Facebook
for a comment about that breach, an Amazon "storage bucket" with the data from Cultura Colectiva
was secured.
Link: https://www.cbsnews.com/news/millions-facebook-user-records-exposed-amazon-cloud-server/
Zoom Attack Attempt
Issue Communication Attack
Cyber Security Issue Unauthorize Access | Hacking
No of Victims unknown
Due to corona virus pandemic forced people to stay indoors and work from home, leaving voice and
video calls the only way of communication. Zoom video conferencing app has seen an unprecedented
level of growth in the past month or so. Because of this sudden growth, several privacy and security
concerns surrounding Zoom have come to the fore. Now, a fresh report claims that over 500,000
Zoom accounts have been hacked and are being sold on the dark web.
A report by Bleeping Computer states that hackers are selling these Zoom accounts for less than a
penny each and in some cases, they are being given away for free. The report adds that this
information about free Zoom accounts being posted on hacker forums was first pointed out by
Cybersecurity intelligence firm Cyble around April 1.
Change Zoom passwords if used elsewhere. These Zoom account credentials include email addresses,
passwords, personal meeting URLs, and HostKeys, according to the report. It is highly advisable that
users change their Zoom passwords, especially if the same password is used elsewhere. They should
try to use unique passwords for each site.
Link: https://reviews.com.np/article/over-500000-zoom-accounts-sold-on-hacker-forums-the-dark-
web
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 12
13. Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 13
14. Recommendation and Suggestion
Organization Level
1. At organization level clear values and culture of Cyber security protocols has to be set with
regular training and standards defined
2. Deploy anti SPAM policy in the organization and behavior of individuals
3. Install and maintenance of firewall, antivirus solution, schedule signature updates, and
monitor the antivirus status on all equipment
4. Regular update of all security systems and patches
5. Deploy a web filter to block malicious websites.
6. Encrypt all sensitive company information.
7. Secure system administrations vulnerabilities and disable third-party or outdated components
that could be used as entry points
Individual Level
1. At individual level, individual behavior is very important which is hugely influenced by values
and cultures
2. Cyber awareness and capacity building program focusing on individual Cyber hygiene
3. Install an antivirus solution, schedule signature updates, and monitor the antivirus status on
all equipment
4. Regular update of all security systems and patches
5. Use of encryption for employees that are working from home
6. Be vigilant and create easy communication and talk with your family including children about
how to stay safe online
7. Update the privacy settings on your social media accounts;
8. Check and Update your passwords and ensure they strong (a mix of uppercase, lowercase,
numbers and special characters);
9. Always confirm before clicking any links or open attachments in emails which you were not
expecting to receive, or come from an unknown sender
10. If you feel there is something wrong talk with your technology guys or police
11. Do regular scans on your computers or mobile devices
Country Level
1. Regular IT risk assessment Mechanism
2. Awareness and capacity building training on Cyber security hygiene
3. Need of the Cyber Security Operation (CSO)centers
4. Proper research and data management system
5. Securing an effective CRISIS Management System
6. Collaborating and creating favorable environment for multistakeholder dialogue
7. Creating a secure environment for building trust and collaboration
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 14
15. COVID19 Crisis Information Attack Matrix
Types of Attack Values Remarks
Cyber Attack Phishing | Ransomware |
Malware
Disinformation Fake News|
Misinformation
Social Media Crisis Racism |Hate of Speech |
Violence
Channeling Disinformation and
communication barriers in
creating crisis situation through
social media
Communication Attack Hacking | Data Privacy
Economical Attack Strategic Attack on
Economic Components
Others Addiction | Domestic
Violence | Gender Gap
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 15
16. Reference
1. The Privacy Act, 2075 (2018)
http://www.lawcommission.gov.np/en/archives/20722
2. Cyber Security Issues In Nepal, Shreedeep Rayamajhi
https://ictframe.com/cyber-security-issues-in-nepal-shreedeep-rayamajhi/
3. Diplo Foundation IGCBP09 Research Phase A Synopsis of Cyber Warfare & Terrorism Course
Objective
https://www.researchgate.net/publication/
313099863_Diplo_Foundation_IGCBP09_Research_Phase_A_Synopsis_of_Cyber_Warfare_Terr
orism_Course_Objective
4. No privacy in Nepal
http://www.shreedeeprayamajhi.com.np/2020/03/no-privacy-in-nepal.html
5. COVID-19 Cyberthreats
https://www.interpol.int/en/Crimes/Cybercrime/COVID-19-cyberthreats
6. Smart Data Module 5 d drive_legislation
https://www.slideshare.net/caniceconsulting/smart-data-module-5-d-drivelegislation
7. Privacy and Security issues in Internet
https://shreedeeprayamajhi.blogspot.com/2009/08/privacy-and-security-issues-in-
internet.html
Report on Data Breach and PRIVACY in Nepal During COVID19 by Shreedeep Rayamajhi 16