Leaky databases
LAST year in April, Pakistani social media was abuzz with complaints by bank customers about having their money stolen via fraudulent and unauthorised internet transactions, money transfers, asset transfers, etc. After days of chatter, the bank concerned released only a short press release in which it maintained that it did not suffer any data breach. The statement appeared to imply that the transactions occurred because customers provided their confidential PINs and other details via phishing attacks and by accepting payment requests from fraudulent sources. The netizens did not agree and the discourse continued.
The large number of victims and their geographical spread, along with the fact that many claimed to never have even activated their internet banking or never receiving OTPs for these transactions, suggests some form of data breach may indeed have occurred. It also indicates that sensitive personal data of many customers somehow went into the wrong hands, allowing attackers to access others’ accounts or use their debit or credit cards for online transactions.
Obviously, it is hard to say anything as not much information was given out by the bank. Victims’ concerns could thus not be allayed. Furthermore, it was unfortunate that the statutory regulator of commercial banks, the State Bank of Pakistan, was quick to reject the news later in the year that some banks had suffered a cybersecurity breach in Pakistan. One did not come across any news of a serious investigation being undertaken. Neither has the FIA, the concerned law-enforcement agency for cybercrime, thrown any light on such incidents and the progress surrounding their investigation.
We cannot live in fear of digital highway robbers.
As the world grows more interconnected via the internet, people have heavily begun to rely on digital banking services and other financial technological tools for the sake of convenience. This shift has been especially accelerated by a worldwide pandemic, which forced much of the world to rely more on digital spaces for many aspects of everyday life. From paying bills to transferring money, internet-based banking and its supporting services are here to stay. Hence, the solution to such a crisis cannot entail deactivating our digital banking services and becoming wary of internet transactions.
We cannot live in fear of digital highway robbers and expect to develop and grow as a nation. The solution is to increase our awareness of the digital world, improve the security of our systems, build stronger policies for the protection of our data, legislate more robust and consumer-friendly laws, and demand more services and better security from our banking institutions, our regulators and the law-enforcement agencies.
One highly effective tool to protect consumers from the ever-growing risk of cybersecurity breaches is to legislate data breach notification laws. Almost a global standard today, data breach notification laws require covered entities such as businesses, banks and government departments to keep logs detailing their systems’ security.
Whenever there is a belief or suspicion that there has been unauthorised access or acquisition of personal data of customers/ users, the covered entities are obligated to notify the affected persons, the regulators and law-enforcement agencies about the incident of data violation. The notification to the affected persons whose data has been potentially compromised needs to be sent as quickly as possible and should contain all the relevant details of the breach as well as appropriate advice to take immediate steps to protect themselves from the risk of identity theft. Failure to send these notifications makes the covered entity liable to civil penalties by the regulator or to be collectively sued by those private citizens who were harmed by the breach.
Currently, neither the SBP Regulations on the Security of Internet Banking (2015) nor the BPRD Circular No. 07 of 2016 on ‘Prevention of Cyber Attacks’, has this requirement (there is only a requirement for banks to report security breaches to the State Bank every quarter). Obviously, those in any industry or public department that utilise the personal data of the citizens of Pakistan will raise a hue and cry that such obligation will be very onerous and very costly to implement. But personal data can be manipulated by unknown actors if they gain access to it, and could be used by them to destroy our lives via identity theft and a whole host of other criminal activities
If we are to allow businesses and governmental departments to collect and use such sensitive personal data about us then we must ensure that our data is not only kept safe and secure but that if it is compromised, we are the first ones to hear about it.
The writer is a data privacy and technology law specialist.
Published in Dawn, May 15th, 2022