Are Indian firms too lax in data security and in responding to breach notices?
Thanks to assistance from Banbreach and Huffington Post reporter Rachna Khaira in India, a leak of thousands of children’s names and grades, and their parents’ names and email addresses has finally been secured. But it really shouldn’t have been so difficult to accomplish.
Back in August, I was contacted by one of a few researchers who often alert me to leaks or data dumps they are finding. In this case, I cannot credit the researcher, because by now, I don’t remember who it was, and when I recently asked a few of them, “Was this your research?” they can’t remember either. My note-taking clearly failed me on this, but what was clear at the time was that they had found thousands and thousands of children’s and parents’ records from the schoolcountry.com site.
SchoolCountry.com is a site oriented to making learning math fun. They create a number of activities for children in lower grades through NTSE (10th grade) level.
The exposed files contained parents and children’s names, the grade, and the parents’ email addresses, with the types of materials that had been sent out. In just two of the many exposed files, there were more than 7,000 of such records. And yes, they were all in plain text.
And so on August 5, I used SchoolCountry’s published email address to contact them to alert them that they were exposing children’s and parents’ information. I received an autoresponse that they would get back to me shortly.
I emailed them again on August 12. I received the same autoresponse that they would get back to me soon. But again, they never did.
Time went by and I forgot to check back on the urls until recently, when I discovered that they had never secured the files. On December 30, I tried another approach from their web site. I filled out their “Ask an Expert” query form with a somewhat frustrated comment.
Yes, you guessed it. I got another autoresponse that I would hear from someone soon, but of course, I didn’t.
Thankfully, and as fate would have it, I had recently connected with Suman Kar, the CEO of Banbreach, who agreed to try to make some local calls in India when I told him that I was looking at thousands of children’s records and had been unable to get the site to secure the data.
Within 24 hours, Kar had done some research and had tried to reach out to the parent company of the site. Schoolcountry.com is owned by Logic Roots, a toy and game manufactures in Mumbai, India. Logic Roots was founded in 2011 by Gunjan Agrawal and Kunal Gandhi. It received $400,000 in seed money in 2015.
Thankfully, a Huffington Post reporter, Rachna Khaira, was able to give Banbreach the founders’ phone numbers. Even with the phone numbers, though, getting in touch and getting an appropriate response and action were not easy.
When several of Suman’s attempts to notify them by phone did not work, I sent a strong email to the executives of Logic Roots. Amazingly, in light of their firm’s previous lack of response, the email actually got a response – not from their founders or CTO, though, but from their head of marketing, Rohit Singhal, who wrote:
Hi, Thanks for letting us know. We really appreciate your effort and sorry for the leaks. we have removed those data from the website and are working on plugging why that happened.
So now the exposed urls return 404 messages. But how many IP addresses accessed those files while they were exposed? The data would be valuable for spamming or phishing parents of students or social engineering. And sadly, from what Kar tells me, data protection in India — particularly when it comes to the data of children — is horribly weak.
“There are two separate issues here,” Kar told this site. “Lack of regulatory oversight is a major problem with companies not treating data right, and as a society, we probably do not see children as independent entities – they are viewed more as an extension of their parents. So you know – anything goes. No one cares.”
Kar says that there is a draft data protection bill in the pipeline. One of the provisions of proposed legislation might penalize a company up to 4% of its revenues for a breach, but at the current time, there is no such provisions for monetary penalties for breaches that consumers can try to sue under, it seems. September, 2018 coverage of the draft protection bill can be found on the companion site, PogoWasRight.org, where searching for “India” will return a number of additional posts about data protection in India.
When I asked Kar about his usual experience in attempting to make notifications to Indian firms, he described it as a very difficult process.
“Companies suffer from the Ostrich syndrome,” he told this site. “They believe the problem (hacker report) will go away if they ignore. And while security is something we are waking up to as a nation, privacy is a foreign concept. Longer term impacts of data breaches are simply not understood,” Kar stated. Kar is disappointed by the tone at the top. “While you can’t expect the rank and file to grasp these issues well,” Kar said, “executives also, seem to wish problems away.”
Well, it’s not like we haven’t seen the Ostrich syndrome here, too, and it’s not like this site and the researchers that contact me haven’t also had our own frustration in other incidents where we tried repeatedly to notify entities that they were leaking. But the situation does seem worse in India than in the U.S. in terms of lack of strong laws protecting privacy and data security.
DataBreaches.net reached out to the Internet Freedom Foundation to ask for a comment about these breaches and leaks, but hasn’t heard back as yet.