In today's Finshots we look at cyberattacks and review the current situation in India

Also, a quick sidenote before we begin the story. At Finshots we have strived to keep the newsletter free for everyone. And we’ve managed to do it in large parts thanks to Ditto — our insurance advisory service where we simplify health and term insurance and make it easy for people to purchase the product. So if you want to keep supporting us, please check out the website and maybe tell your friends about it too. It will go a long way in keeping the lights on here :)


The Story

₹7.3 crores!

That’s the amount hackers stole from Indian fintech startup Razorpay over a three month period.

For the uninitiated, Razorpay is a payment gateway firm. They enable payments when you’re trying to pay for pizza on your favourite food delivery app for instance. They’re quite good at it. But one of these days hackers were able to compromise the payment verification process and it seems they made off with 7.3 crores in the process. Now Razorpay has contested that no other parties have been affected by all this but we have to ask — “Why isn’t this big news?” “Why aren’t more people talking about this?”

Well, the truth is… The ecosystem is kind of used to it by now. At least Razorpay has been fairly transparent about what happened. But most companies don’t even acknowledge data breaches. In the past couple of years, news reports have alleged that JusPay, Pinelabs, MobiKwik have all witnessed data breaches and not everyone has been forthcoming about the breach. At least not until independent researchers stumbled on it.

You can kind of understand why they’re so reluctant to do this. After all, it’s not a great look for your business. But since we don’t have stringent guidelines on issues like these, some companies can get away with the most egregious things. And the implications are massive. One simple hack and they get access to millions of bank account and credit card details, all in one place. And more often than not, the data then makes its way into the dark web — an underworld for the internet of sorts. And there it’s sold to the highest bidder. For instance, credit card details are sold for $12 — $20. And stolen banking credentials with a minimum balance of $2000 can go for $65 on average.

But data breaches aren’t the only thing companies need to worry about. There’s also Ransomware.

As we wrote earlier,

Think of Ransomware as computer code that encrypts (or locks) your data. If the code executes on your device successfully, then it’s quite possible you may never be able to retrieve your files. Unless that is, you had access to a special key — a key that will only be made available to you if you pay the ransom demanded by those holding your data hostage.

In some cases, the attackers will step it up a notch and threaten to publish sensitive data on the interweb if their demands aren’t met. At which point you have two options in front of you — either cede to their demands, pay the ransom and hope they decrypt the files for you, or simply risk dealing with the consequences yourself.

One report summarizing the impact of ransomware on 5,600 mid-sized organizations across Europe, the Americas, Asia-Pacific and Central Asia, noted that 78% of Indian organizations surveyed in the study reported ransomware attacks. And in total had to cough up $1.2 million for each attack. It’s quite insane.

So, the question is, why are these hacks and ransomware attacks happening at such an alarming frequency? Aren’t we well-equipped to fend off these bad actors?

Well, for starters, there’s the digital revolution. The pandemic gave birth to the work-from-home model and security threats are no longer confined to the perimeter of an office building. In the meantime, hackers are adapting by exploiting vulnerabilities in “safe VPNs and other collaboration tools.”

And sometimes, it doesn’t matter even what high-end intricate cybersecurity solution you use because the ‘user’ is the weakest link in the system. A single employee clicking on a suspicious link or opening unsolicited emails could potentially bring the entire organisation’s IT infrastructure to its knees.

There’s also the fact that we are building too fast these days. In a bid to ship products within a specified timeline, fintech firms are being forced to take the occasional shortcuts. Which in turn creates security flaws.

The only positive news perhaps? Policymakers are trying to catch up.

For instance, our country doesn’t have breach disclosure policies at the moment. Companies may choose to report a breach to the Computer Emergency Response Team (CERT-IN) — an office under the Ministry of Electronics and Information Technology. However, they aren’t obligated to.

This is not the case in other parts of the world. For instance, in the EU, companies must report breaches within 72 hours. So right now, without a mandate to report these breaches, we might not even know when our personal data is compromised.

But that’s changing and CERT-In has announced its own data breach policy— giving companies just a six-hour window to report security breaches. These new rules will likely come into effect by July and hopefully shine more light on cybersecurity matters.

The government has also ramped up its budget for spending on cybersecurity matters and is also in the throes of formulating a National Cybersecurity Strategy to beef up our defences.

But will all this be able to thwart the attacks by bad actors? Unlikely. They’ll adapt and hone their skills too and we just have to be prepared for the inevitable — Companies had better be on their toes.

Until then…

Update: The story has been updated to reflect the nature of data  breaches and how companies have only disclosed the breach after independent researchers stumble on it

Don't forget to share this article on WhatsApp, LinkedIn and Twitter