For a layperson, what do recent events of data breach and manipulation mean? Are there serious repercussions, especially given the fact that crores of people’s records have been compromised? The chances of an individual being impacted might thus be miniscule. Deloitte’s Forensic team, through fictitious cases, helps explain different data breach scenarios and their impact. These cases have been put together based on the team’s extensive experience of working on some of the top fraud, misconduct and noncompliance investigations in India over the last decade.
Nikhil Bedi | Karan Bhasin
(The following story is a work of fiction to outline the importance of taking cybersecurity seriously)
Premature victory
This was it. The moment Dinesh Ahuja had waited for 20 years. As he walked towards the podium, the flash from the cameras made it difficult to see ahead. WaveZone Telecom had recently launched a mobile app that had seen over 100 million downloads in less than a week.
related news
It was a proud moment for the CEO (Ahuja).
As he was elaborating on the company’s growth with journalists, he saw a message on his phone that read: "Can we give Dhananjay a new phone and close this?"
Dhananjay, the company’s lead IT manager had been requesting a phone, since his previous device had been stolen eight months ago. The second hand phone he bought in a rush had been giving him some trouble. While Ahuja prided himself on being a hands-on CEO, he simply did not have time to deal with such trivial requests at the moment.
Today, he had more important matters to discuss with journalists and well-wishers.
On the other side of town, freelance cybersecurity analyst Zahyan had seen his fair share of unorthodox internet related situations, yet nothing prepared him for the volume of traffic he was seeing pinging a non-descript Ukrainian server.
Even stranger was the fact that his packet tracing program had identified the source of the millions of pings as India. Zahyan had assumed the Ukrainian server was some cloud company’s server for the Asia region.However, when he checked public domain records he could find no information on the owner of the server.
Beep... beep... beep... The computer had managed to decrypt some strings that were being sent to the server. Every string seemed to contain the characters "WZ_Cri". Zahyan knew he had won bragging rights.
The nightmare
Dinesh woke up, yet again with a headache. The events of the last four days refused to go away from his memory. An independent cybersecurity analyst Zahyan had blown the whistle on how WaveZone’s app had some malicious code within it that sent all user’s data to a remote Ukrainian server.
The same journalists who had praised his achievements at the event had gone on to publish front page stories, on how the WaveZone app had knowingly facilitated a data breach with an aim to get customer information and grow business.
Customers were predictably irate and were uninstalling the app at record rates. Personal apologies had not sufficed and five government notices had followed swiftly seeking an explanation from the company. "What went wrong?" Ahuja thought.
What no one knew
The origin of the problem was Dhananjay’s stolen phone. The thief, a member of a hacker network, cracked the password and accessed his data, including credentials for TeamViewer, an app used by WaveZone managers to remotely access their projects.
Soon the hacker network had access to the WaveZone’s entire source code database.
The hackers inserted two pieces of malicious code into the customer app’s code library. One piece uploaded all user’s data to the Ukrainian server, which was sold to data brokers around the world. The other piece allowed the hackers to gain root access to whichever phone the app was installed on.
They used this access to download a specific piece of malware onto each user’s phone. The malware mined Chaandi (a cryptocurrency) using the phone’s computing power. The computing power of over 100 million phones added up pretty fast.
The price of Chaandi had also been rising in the cryptocurrency markets at asteady pace. The hackers, all Chaandi owners, became millionaires in two days.
(Nikhil Bedi is Partner, Deloitte India and Karan Bhasin is Senior Executive, Deloitte Touche Tohmatsu India LLP)