Internet privacy laws in India

NinByChoice · Feb 20, 2010

I was planning on taking the services of a financial firm and was checking out their website for details. Found that they have made the personal details of every one of their customers (and there are quite a few millions) available to anyone who can guess a simple URL.

No authentication of any sort is done prior to displaying the information.

These are the details that are shown

Name
Fathers Name
Address
Phone Number
Mobile Number
Date of Birth
PAN Number
Monthly Salary
Bank, Branch where they have an account
Account Number, at the branch mentioned above

Are there any privacy laws in India that can curb this? Whom should I complain to?

On a side note, Is guessing the URL a crime?

Metalspree · Feb 20, 2010

WTF how can all the details be displayed ,its invading privacy.Who is it ??

Nikhil · Feb 20, 2010

Which financial firm?

Metalspree · Feb 20, 2010

I am guessing its Citibank or Stan Chart.

delguy19 · Feb 20, 2010

it cant be citibank no way

TheMask · Feb 21, 2010

its got to be one of the Indian banks.. Foreign banks don't display such info, but i cud be wrong. Man, that is scary though as most of the information is used for secure confirmations.

major9 · Feb 21, 2010

Banks won't do such things. Might be some insurance firms.

greenhorn · Feb 21, 2010

Did you know that if you know the reg no of a Tata car, you could find out its owner's name, phone no via the tata website?

NinByChoice · Feb 21, 2010

Im not comfortable revealing the firms identity and how to obtain the information until Im sure that I wont be arrested for "hacking". If somebody can help me with my questions, I will see how this can be taken forward.

1) Am I wrong to access a simple URL? Can I be charged for unauthorised access?
2) Can I post the access method and company details on TE? Will TE be in trouble if I do it?
3) Anyone know people in the media that will be interested in getting this out to the public? Basically to save my a$$.
4) Can I sue the company for 1 billion, gagillion, fafillion, shabolubalu million illion yillion...yen?

Thanks Metalspree, for the suggestions!! Sent you a nibble too

OT : How abt posting the details on 4chan and let the firm deal with /b tards?

saumilsingh · Feb 21, 2010

If someones' front door is open, do you just walk into their house?

H2O · Feb 23, 2010

saumilsingh said:
If someones' front door is open, do you just walk into their house?

If you don't does that mean the next person noticing won't ?

Maybe you should shoot an email to the company first save an image of the page if you have been victimized get a lawyer. This is serious breach of privacy.

panky.killer · Feb 23, 2010

YGPM:hap2:

NinByChoice · Feb 23, 2010

^^ Replied.

H2O said:
[quote name='saumilsingh']If someones' front door is open, do you just walk into their house?

If you don't does that mean the next person noticing won't ?

Maybe you should shoot an email to the company first save an image of the page if you have been victimized get a lawyer. This is serious breach of privacy.[/QUOTE]

Precisely. If my things are kept inside their house, shouldnt I be worried about my things being stolen? Dont they have an obligation to protect it? What if someone else walks in and steals my stuff? Its my identity thats been compromised. I dont want to steal anything, I just want to point out that the door is open or maybe that they dont have a door at all.

I have given my personal data to the firm in the belief that they will safeguard it as best as they can. Is the current level of security the best they can do? Does the law specify a minimum level of security to be provided, something like VerifiedByVisa?

Apparently there are no clear privacy laws in India.

Privacy and Human Rights

So it seems that the firm is not doing anything clearly illegal.

Also the Section 43 of IT Act 2000 provides for serious punishment for unauthorised access.

Cyber Crime And Law

Reporting this issue could get me into trouble for unauthorised access.

It looks like Im just gonna have to keep this to myself

Metalspree · Feb 23, 2010

How about selling the data to other banks and making money :bleh:

OT:what the heck is the username of your's Raghu??

johnie1 · Feb 23, 2010

saumilsingh said:
If someones' front door is open, do you just walk into their house?

you do have a responsibility as a mature citizen to contact the owner of the house and let him know it is open.yes u can walk in to secure the premises until the owner comes.Then you can explain the insecurity on his part.I am guessing you will be thanked.

saumilsingh · Feb 23, 2010

My post was in answer to the OP's query regarding whether or not he could get into trouble over trying to 'guess' his way around.
I wasn't defending the bank's weak security measures.

asingh · Feb 24, 2010

8,9,10 being available without security measures is really really bad.

Though, this is for the OP. You mentioned, that you 'guessed' the URL. What exactly you did here. If a password/encrypted is being passed via the URL, did you try a random option here, or you have the capability to specifically fabricate the URL such that, if person AABB is a customer of this firm, you can get directly into their account details. (Please do not tell me that just appending a customers name at the end of the URL --- popped up their confidential details).

If it is the first, and you are trying random shots and succeeded, I guess the firm needs to tighten up their net security. If it is the latter, than you are hacking -- but yes, the firm should make better provisions to protect confidential data.

NinByChoice · Feb 25, 2010

asingh said:
Please do not tell me that just appending a customers name at the end of the URL --- popped up their confidential details.

Thats pretty much whats happening. Is this hacking too?

Im gonna get in touch with the Cyber Crime Cell soon about this. Or maybe one of the media groups.

tec · Mar 18, 2010

Hey NinByChoice, a very similar incident occurred very recently at the Durex India estore, you can read more about it here:

Durex Data Breach

From a search on Google News, I don't see any media coverage on this story, so the implication is that Indian media does not think privacy issues are newsworthy. So your approaching media groups might not help.

Also, from my knowledge, one would have to prove that a "crime" was committed in order to approach the Cyber Crime Cell. Release of private information to an unsecure environment, however reprehensible that may be, may not directly lead to a crime, or proving that a crime was a direct result of such a leak of information is next to impossible. So the law is too weak to force businesses to protect customers' privacy.

Your best bet might be to request the institution to take the information offline, if not to protect their customers' privacy, at least to protect their own business from competitors targeting their customers...