The Reserve Bank of India has no system of alerting or informing customers whose personal data has been compromised in financial cybersecurity incidents like a data breach, RTI documents obtained by Entrackr revealed.
The RTI was filed after cybersecurity firm Cyble had alleged that fintech company Pine Labs had suffered a data breach in August claiming that around 500,000 records of Pine Labs including confidential client agreements, employee data, financial reports, and other internal documents were hacked.
In the RTI, the central bank was asked about the procedure it follows to inform customers impacted by cyber security incidents. To that, the bank replied, “Reserve Bank of India does not have a system of informing such customers”.
The right to information request was filed by independent security researcher Srinivas Kodali on behalf of the Cashless Consumer collective, as part of the organisation’s larger efforts to create awareness about the risks involved in digital transactions.
We have reached out to the Reserve Bank of India for comment and will update the story in case they respond. However, it does seem that the RBI prefers to handle its responsibility by shifting the onus on institutions regulated by it, or by simply making the process of online payments a little more ‘complicated’.
This has been apparent in both the push for 2-factor authentication (2FA) and this week, the auto-debit rules that came into effect. Both the moves have been disruptive for a fintech sector in high gear, with mixed results in terms of net impact. Add to that the ease of use of UPI now, and it is clear that the playground for RBI will continue to throw up surprises.
On credit and debit cards, RBI’s revelation is crucial for one key reason. In 2019, it was reported that more than 1.3 million payment card details–98% of them being Indian banks’ cards–were allegedly put up for sale on the dark web. While RBI directed banks to investigate the issue, users never knew whether or not their card details were compromised.
Similarly, this year stockbroker Upstox admitted to facing a data breach. While the company had alerted its users that it had suffered a data breach, it did not reveal how many people were impacted and whether it had informed every impacted user about those specific details.
For impacted users, getting to know if their financial data was compromised by any RBI regulated entity would matter when seeking compensation.
“As the regulator responsible to keep financial transactions safe, RBI is duty bound to explain the nature of data breaches in digital payment firms and educate people about various social engineering attacks they might face because of these breaches,” Kodali told Entrackr.
He added that financial information is treated as sensitive personal information and people have a right to seek compensation for any loss that might occur from these companies under the IT Act.
“RBI as the regulator looking into these issues must be transparent to the people of India,” said Kodali.
To be sure, the RBI does require financial companies to report any security incident to it within two to six hours. Cybersecurity incidents are also required to be reported to the Computer Emergency Response Team (CERT-In).
Under the upcoming Personal Data Protection Bill, which remains delayed thus far, companies who face a data breach will have to notify it to a Data Protection Authority, which will finally decide whether or not the breach should be notified to customers.
Financial fraud is on the rise in the country. In 2020 alone, close to 3 lakh cybersecurity incidents in digital banking were recorded in India, according to government data presented in Parliament earlier this year. These incidents included phishing attacks, network scanning and probing, viruses and website hacking.
The impact of new innovations like contactless payments have yet to be documented, as these are early days yet.