Given how the intensity of cyberattacks has been increasing during the pandemic, it is not surprising that Indian companies have borne the brunt of it. In the absence of any common minimum standards, each company in India follows its parameters. While most attacks entail stealing account information and logins, the biggest one for 2021 happened at a cryptocurrency exchange, BuyUCoin, where KYC details of 325,000 Indian users were leaked.
Two years ago, another cryptocurrency exchange, Binance, was part of another KYC leak and last year, yet another crypto platform, Digitex, had started an investigation, on the leak of KYC details of 8,000 users.
While the usual response on data leaks is companies strengthening their servers and ensuring more data safety protocols, Digitex announced that they would stop KYC verification. KYC verification has been made mandatory for cryptocurrency platforms to make tracking money easier and avoid it being used for illegal means.
Although none of the Indian banks have reported a leak, it is surprising most companies are not using the solution provided by the government and the government is not pushing for it either.
Why do companies need to store data in the first place, when the whole idea of a DigiLocker was that users could share verified and government-issued documents and companies could confirm it online removing the hassle of printouts and attestations. More important, at the time, the government had envisaged that users could set a time limit for sharing data after which the company would not be able to confirm the details.
More services have been added to the DigiLocker since-the new Covid vaccination certificates are also to be dispensed using the service-but the government is not fully leveraging this solution. Rather, the project has languished in terms of sharing of data. Leave alone private institutions, even government banks rarely use the service.
So, on the one hand, while there is a need to expand the ambit of DigiLocker and get more players to use this service, on the other, the government needs to invite private players to start their locker services. Earth.ID has been leveraging blockchain to create identity management wallets. The system creates an extra layer of protection by assigning a trust score. Each time a vendor confirms user information, the trust score increases, plus users can rescind access at any point in time.
The new data protection law envisages companies creating a dashboard to show where all user data is shared. This would help users understand how companies deal with data, but would not stem data leaks. Thus, a better idea would be to allow verification and access to happen via DigiLocker and other services.