Chennai-based finance professional Karthika G was shocked when a senior Swiggy employee jokingly told her that he could easily access her address from her account at the food delivery app.
Last year, ethical hacker Sunny Nehra, met a former Amazon India employee on the Dark Web, who was trying to sell customer data he had gathered before leaving his job. This included user details, addresses, their searches, orders and also details on what they didn’t buy, Nehra told BusinessLine.
On July 12, a machine learning engineer from Kanpur, Surendra Kumar was notified by his antivirus that his “personal information was leaked in data breaches of at least three services he had used in the past including BigBasket, Dominos and IIMJobs”. On further digging, he found out that the data leaked had his e-mail address, phone number, date of birth and his IIMJobs.com profile — adequate information for anyone to create a fake online identity.
While it is an open secret that most new-age Internet companies have access to our data, little is known about who is getting to see that data, and how much data they have.
“Data is readily available to the company employees, especially senior executives and those working in the data analytics teams who access the customer data to analyse what the customer needs are,” points out Srinivas Kodali, independent researcher and privacy rights activist.
Kodali, however, adds that access control on which employees get to see what data varies among different firms.
Bigger companies like Google and Amazon can track which employee is accessing which user’s data, according to Nehra. Between 2018 and 2020, Google fired nearly 80 employees for abusing access to company tools and data, of which some were misusing user and employee data.
Misuse is rife
Increasingly, cases of employees going rogue and misusing data are surfacing. In 2019, an Amazon customer care executive from Pune and a former employee were jailed for committing a fraud of ₹1.85 crore through Amazon’s Gift Cards.
“There are several groups on Facebook whose users are dealing in data through those circuits. Many of these users are employees of those companies they have accessed data from,” Nehra said.
E-mails sent to Practo, Swiggy and Amazon didn’t elicit responses at the time of going to press. India is yet to pass a legal framework around data protection.
Need for strict laws
There’s a draft Personal Data Protection Bill in the waiting, which is likely to take care of some of these issues by holding companies accountable when there’s a breach and also giving consumers more clarity on the legal discourse they could opt for.
“Companies are actually more prone to insider data getting leaked. Employees have often taken data from one company and leaked them to a rival and joined them,” points out Kodali.
“The good thing is, while Dark Web hackers are hard to catch, internal employees can get caught easily. Due to lack of laws, both companies and employees are taking this issue lightly and there is hardly any awareness. Companies are much more wary in Europe given stricter laws there,” Nehra added.