ClubHack, profile picture
Uploaded byClubHack
1,027 views

Data theft in india (K K Mookhey)

- Data theft of customer records from financial institutions is a serious and growing problem in India, with records being sold online for less than $0.01 each. Customer data is often not well protected and is spread across many different systems with broad access. - Regulatory frameworks and enforcement are still weak, and many organizations do not prioritize data protection. Comprehensive solutions require changes to policies, processes, oversight of vendors, access controls, encryption, and other technologies. Stronger laws and regulations may also be needed to curb the problem.

Embed presentation

Downloaded 96 times
Data Theft in India - Seedhi baat, no bakwas K. K. Mookhey, Principal Consultant CISA, CISSP, CISM
Speaker Introduction Founder & Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
Agenda What’s the ground reality Recent news Financial institution data theft explored Challenges Solutions Conclusion
Let’s see now….
Well, yes Sir, you’ve been had!
It’s not paranoia… It’s actually happening!
Data theft in the recent past
What price India? Online examples…
Less than 1 cent per record! http://www.jobstiger.com/emaildatabaseindia.html http://www.kumudhamwebtech.com/ http://hyderabad.olx.in/38-lakh-stock-market-traders- dmat-account-holders-database-44000-sub-brokers-iid- 106295300 http://www.ebusinessindya.biz/ http://www.mobiledataindia.com/ http://www.gsquare.biz/data.html
Fresh record price = Rs. 75 Converted customer price = Rs. 150 View from the trenches…
Pick an industry, pick a company Large business house gets into the financial services industry with a big bang But slightly late in the game Huge marketing blitz, offices opened nationwide Aggressive marketing, huge ad spends Customer base widens Assets under management bloats In a couple of years, they’re within the top 5 private insurers, equity trading companies, and mutual funds! However…
Data all over the place… Specific mutual fund purchase records available for a price Customers get calls just before their fund payments are due Customers get calls to switch funds Specific data available: Customer name Cover amount Investment amounts Fund details Personal information Expiry dates And more…
What should the company do to fix this?
Why data isn’t being protected
No one gives a damn!
Where is the customer data? – Equity Trader Example Primary Trading system CRM Business Intelligence system Compliance Reporting system Backups Password Reset system Excel Flat files USBs Shared folders!
Who has access to it? Front-office Back-office IT Research Customer service Vendors KYC Call Center Direct Sales Agents (Devil’s in-Security Agents) DPs Registrars Settlement Finance & Accounts Cleaning Staff??
Ok, now I’m just depressed… But there’s more…
Weak regulatory framework Unless someone serious starts kicking some serious ass, nothing’s going to change… RBI SEBI AMFI But what about? IRDA TRAI •UID? •Healthcare?? •Pharma?? •FMCG?? •Retail?? •Government????
Government’s role No comprehensive national consciousness on data protection Data protection efforts not cohesive – don’t address all industries Government endorses data theft and invasion of privacy? Niira Radia tapes Blackberry controversy …
Business comes first! Sell more! Expand market share! Heavy reliance on limited number of outsourced vendors Weak mechanisms to oversee data protection by vendors Vendors don’t care…
When things do end up in court… Judge: IT?!? Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err… Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do this Judge: Please continue! Senior Counsel: Sir we need a forensic investigation done Judge: What is that?!? Okay, seal the website! Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?
Here’s how it gets done!
Solutions?
Solutions Technologies Encryption Data Leakage Prevention Information Rights Management Database security solutions Audit/Log Management Stronger regulations Stronger laws or stronger enforcement of existing laws Mindset change Data protection does matter! It is NOT a technology issue Policy and process frameworks must be implemented ISO 27001 is not the answer
Conclusions
Summary It is an epidemic, and it is getting worse! When Big Brother wields the stick, then things begin to happen – fines, penalties, court cases Back to basics approach – thorough risk assessments! Identity and access management Technologies help, but it has to begin with PPP – Policy, Process, People Innovative audit/forensic techniques
Thank you! Questions / Queries K. K. MOOKHEY kkmookhey@niiconsulting.com NETWORK INTELLIGENCE INDIA PVT. LTD. www.niiconsulting.com

More Related Content

PDF
The Trick to Passing Your Next Compliance Audit
bySBWebinars
 
PPTX
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
PPTX
Data Privacy: What you need to know about privacy, from compliance to ethics
byAT Internet
 
PPTX
Next Dimension: How to create a Cybersecurity Strategy
byNext Dimension Inc.
 
PDF
GDPR Webinar - feb
bySophos Benelux
 
PDF
Ecosystm BreakFirst presentation slides
byChris White
 
DOCX
Data privacy and security in uae
byRishalHalid1
 
PDF
Convince your board - Ten steps to GDPR compliance
byDave James
 
The Trick to Passing Your Next Compliance Audit
bySBWebinars
 
Siskinds | Incident Response Plan
byNext Dimension Inc.
 
Data Privacy: What you need to know about privacy, from compliance to ethics
byAT Internet
 
Next Dimension: How to create a Cybersecurity Strategy
byNext Dimension Inc.
 
GDPR Webinar - feb
bySophos Benelux
 
Ecosystm BreakFirst presentation slides
byChris White
 
Data privacy and security in uae
byRishalHalid1
 
Convince your board - Ten steps to GDPR compliance
byDave James
 

What's hot

PPTX
Investment in Legal Technology
byEvolve Law
 
PPT
Consumer Privacy
byAshish Jain
 
PPTX
Privacy issues in data analytics
byshekharkanodia
 
PDF
Is Ukraine safe for software development outsourcing?
byN-iX
 
PPT
GDPR - are you ready?
byAnkit Dua
 
PPTX
Personally Identifiable Information – FTC: Identity theft is the most common ...
byJan Carroza
 
PPTX
Cybersecurity: What does Cyber Insurance Cover?
byNext Dimension Inc.
 
PPTX
Cybersecurity pres 05-19-final
byVivek Ahuja
 
PPT
Pci Europe 2009 Underside Of The Compliance Ecosystem
bykpatrickwheeler
 
PPT
Policies and Law in IT
byAnushka Perera
 
PPTX
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
byBlack Duck by Synopsys
 
PPTX
Privacy in the digital space
byYves Sinka
 
PPTX
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
byHuman Capital Department
 
PDF
Privacy & Data Protection in the Digital World
byArab Federation for Digital Economy
 
PPTX
Target data breach presentation
bySreejith Nair
 
PDF
Target data breach case study
byAbhilash vijayan
 
PPTX
Data Governance in the Enterprise: Highlights from Our Research Report
byBlancco
 
PDF
Key Insights from the 2019 Legal Trends Report
byClio - Cloud-Based Legal Technology
 
PDF
How can you improve cybersecurity at your law firm?
byClio - Cloud-Based Legal Technology
 
PPTX
Smarter Security - A Practical Guide to Doing More with Less
byOmar Khawaja
 
Investment in Legal Technology
byEvolve Law
 
Consumer Privacy
byAshish Jain
 
Privacy issues in data analytics
byshekharkanodia
 
Is Ukraine safe for software development outsourcing?
byN-iX
 
GDPR - are you ready?
byAnkit Dua
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
byJan Carroza
 
Cybersecurity: What does Cyber Insurance Cover?
byNext Dimension Inc.
 
Cybersecurity pres 05-19-final
byVivek Ahuja
 
Pci Europe 2009 Underside Of The Compliance Ecosystem
bykpatrickwheeler
 
Policies and Law in IT
byAnushka Perera
 
Open Source Insight: Banking and Open Source, 2018 CISO Report, GDPR Looming
byBlack Duck by Synopsys
 
Privacy in the digital space
byYves Sinka
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
byHuman Capital Department
 
Privacy & Data Protection in the Digital World
byArab Federation for Digital Economy
 
Target data breach presentation
bySreejith Nair
 
Target data breach case study
byAbhilash vijayan
 
Data Governance in the Enterprise: Highlights from Our Research Report
byBlancco
 
Key Insights from the 2019 Legal Trends Report
byClio - Cloud-Based Legal Technology
 
How can you improve cybersecurity at your law firm?
byClio - Cloud-Based Legal Technology
 
Smarter Security - A Practical Guide to Doing More with Less
byOmar Khawaja
 

Similar to Data theft in india (K K Mookhey)

PPTX
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
PPT
George Gavras 2010 Fowler Seminar
byDon Grauel
 
PDF
Data Privacy
bycliff_rudolph
 
PDF
Information Security It's All About Compliance
byDinesh O Bareja
 
PPTX
Data Privacy
byHome
 
PDF
Relationship between data protection and m&a (1)
byAshish vishal
 
PDF
Threat Ready Data: Protect Data from the Inside and the Outside
byDLT Solutions
 
PDF
Women in Technology Leadership
byVARIndiaManishYadav
 
PPT
Compliance audit under the Information Technology Act, 2000
bySagar Rahurkar
 
PDF
Data Leakage Prevention (DLP)
byHaris Tahir
 
PDF
Data Security and Data Governance: Foundation and Case Studies - November 4, ...
byDr. Thiti Vacharasintopchai, ATSI-DX, CISA
 
PDF
Why Data Sovereignty Is Important for Indian Enterprises
byESDS Software Solution Limited
 
PDF
Data Security Regulatory Lansdcape
byBrian Bauer
 
PDF
Where In The World Is Your Sensitive Data?
byDruva
 
PPTX
IAPP - Trust is Terrible Thing to Waste
byDave Steer
 
PDF
Big Data Requires Big Protection
byIBM Security
 
PDF
It news in india
byVARIndiaManishYadav
 
PDF
Varindia
byVARIndiaManishYadav
 
PDF
It news today
byVARIndiaManishYadav
 
PDF
Varindia var india
byVARIndiaManishYadav
 
Proven Practices to Protect Critical Data - DarkReading VTS Deck
byNetIQ
 
George Gavras 2010 Fowler Seminar
byDon Grauel
 
Data Privacy
bycliff_rudolph
 
Information Security It's All About Compliance
byDinesh O Bareja
 
Data Privacy
byHome
 
Relationship between data protection and m&a (1)
byAshish vishal
 
Threat Ready Data: Protect Data from the Inside and the Outside
byDLT Solutions
 
Women in Technology Leadership
byVARIndiaManishYadav
 
Compliance audit under the Information Technology Act, 2000
bySagar Rahurkar
 
Data Leakage Prevention (DLP)
byHaris Tahir
 
Data Security and Data Governance: Foundation and Case Studies - November 4, ...
byDr. Thiti Vacharasintopchai, ATSI-DX, CISA
 
Why Data Sovereignty Is Important for Indian Enterprises
byESDS Software Solution Limited
 
Data Security Regulatory Lansdcape
byBrian Bauer
 
Where In The World Is Your Sensitive Data?
byDruva
 
IAPP - Trust is Terrible Thing to Waste
byDave Steer
 
Big Data Requires Big Protection
byIBM Security
 
It news in india
byVARIndiaManishYadav
 
Varindia
byVARIndiaManishYadav
 
It news today
byVARIndiaManishYadav
 
Varindia var india
byVARIndiaManishYadav
 

More from ClubHack

PDF
India legal 31 october 2014
byClubHack
 
PPTX
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
byClubHack
 
PPT
Cyber Insurance
byClubHack
 
PPTX
Summarising Snowden and Snowden as internal threat
byClubHack
 
PPTX
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
PDF
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
PDF
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
byClubHack
 
PPTX
Smart Grid Security by Falgun Rathod
byClubHack
 
PPTX
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
PPT
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
PDF
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
byClubHack
 
PPTX
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
PPTX
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
PPTX
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
PDF
XSS Shell by Vandan Joshi
byClubHack
 
PDF
Clubhack Magazine Issue February 2012
byClubHack
 
PDF
ClubHack Magazine issue 26 March 2012
byClubHack
 
PDF
ClubHack Magazine issue April 2012
byClubHack
 
PDF
ClubHack Magazine Issue May 2012
byClubHack
 
PDF
ClubHack Magazine – December 2011
byClubHack
 
India legal 31 october 2014
byClubHack
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
byClubHack
 
Cyber Insurance
byClubHack
 
Summarising Snowden and Snowden as internal threat
byClubHack
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
byClubHack
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
byClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
byClubHack
 
Smart Grid Security by Falgun Rathod
byClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
byClubHack
 
Infrastructure Security by Sivamurthy Hiremath
byClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
byClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
byClubHack
 
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
byClubHack
 
XSS Shell by Vandan Joshi
byClubHack
 
Clubhack Magazine Issue February 2012
byClubHack
 
ClubHack Magazine issue 26 March 2012
byClubHack
 
ClubHack Magazine issue April 2012
byClubHack
 
ClubHack Magazine Issue May 2012
byClubHack
 
ClubHack Magazine – December 2011
byClubHack
 

Recently uploaded

PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
The year in review - MarvelClient in 2025
bypanagenda
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
December Patch Tuesday
byIvanti
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
MuleSoft Vibes is an AI-powered assistant
byVikalp Bhalia
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 

Data theft in india (K K Mookhey)

  • 1.
    Data Theft inIndia - Seedhi baat, no bakwas K. K. Mookhey, Principal Consultant CISA, CISSP, CISM
  • 2.
    Speaker Introduction Founder& Principal Consultant Network Intelligence Institute of Information Security Certified as CISA, CISSP and CISM Speaker at Blackhat 2004, Interop 2005, IT Underground 2005, OWASP Asia 2008,2009 Co-author of book on Metasploit Framework (Syngress), Linux Security & Controls (ISACA) Author of numerous articles on SecurityFocus, IT Audit, IS Controls (ISACA) Over a decade of experience in pen-tests, application security assessments, forensics, compliance, etc.
  • 3.
    Agenda What’s theground reality Recent news Financial institution data theft explored Challenges Solutions Conclusion
  • 4.
  • 5.
    Well, yes Sir,you’ve been had!
  • 6.
    It’s not paranoia… It’s actually happening!
  • 7.
    Data theft inthe recent past
  • 12.
    What price India? Online examples…
  • 13.
    Less than 1cent per record! http://www.jobstiger.com/emaildatabaseindia.html http://www.kumudhamwebtech.com/ http://hyderabad.olx.in/38-lakh-stock-market-traders- dmat-account-holders-database-44000-sub-brokers-iid- 106295300 http://www.ebusinessindya.biz/ http://www.mobiledataindia.com/ http://www.gsquare.biz/data.html
  • 14.
    Fresh record price= Rs. 75 Converted customer price = Rs. 150 View from the trenches…
  • 15.
    Pick an industry,pick a company Large business house gets into the financial services industry with a big bang But slightly late in the game Huge marketing blitz, offices opened nationwide Aggressive marketing, huge ad spends Customer base widens Assets under management bloats In a couple of years, they’re within the top 5 private insurers, equity trading companies, and mutual funds! However…
  • 16.
    Data all overthe place… Specific mutual fund purchase records available for a price Customers get calls just before their fund payments are due Customers get calls to switch funds Specific data available: Customer name Cover amount Investment amounts Fund details Personal information Expiry dates And more…
  • 17.
    What should thecompany do to fix this?
  • 18.
    Why data isn’tbeing protected
  • 19.
    No one givesa damn!
  • 20.
    Where is thecustomer data? – Equity Trader Example Primary Trading system CRM Business Intelligence system Compliance Reporting system Backups Password Reset system Excel Flat files USBs Shared folders!
  • 21.
    Who has accessto it? Front-office Back-office IT Research Customer service Vendors KYC Call Center Direct Sales Agents (Devil’s in-Security Agents) DPs Registrars Settlement Finance & Accounts Cleaning Staff??
  • 22.
    Ok, now I’mjust depressed… But there’s more…
  • 23.
    Weak regulatory framework Unless someone serious starts kicking some serious ass, nothing’s going to change… RBI SEBI AMFI But what about? IRDA TRAI •UID? •Healthcare?? •Pharma?? •FMCG?? •Retail?? •Government????
  • 24.
    Government’s role Nocomprehensive national consciousness on data protection Data protection efforts not cohesive – don’t address all industries Government endorses data theft and invasion of privacy? Niira Radia tapes Blackberry controversy …
  • 25.
    Business comes first! Sell more! Expand market share! Heavy reliance on limited number of outsourced vendors Weak mechanisms to oversee data protection by vendors Vendors don’t care…
  • 26.
    When things doend up in court… Judge: IT?!? Senior Counsel: Well…umm…err…you see this is under Section 66 of IT Act because, well…err… Junior Counsel (whispering): Sir…we need to get imaging done…not sure what that is, but the “cyber expert” we hired told us to do this Judge: Please continue! Senior Counsel: Sir we need a forensic investigation done Judge: What is that?!? Okay, seal the website! Court-appointed Commissioner: Yes sir, but kindly clarify who pays my fees?
  • 27.
    Here’s how itgets done!
  • 28.
  • 29.
    Solutions Technologies Encryption Data Leakage Prevention Information Rights Management Database security solutions Audit/Log Management Stronger regulations Stronger laws or stronger enforcement of existing laws Mindset change Data protection does matter! It is NOT a technology issue Policy and process frameworks must be implemented ISO 27001 is not the answer
  • 30.
  • 31.
    Summary It is anepidemic, and it is getting worse! When Big Brother wields the stick, then things begin to happen – fines, penalties, court cases Back to basics approach – thorough risk assessments! Identity and access management Technologies help, but it has to begin with PPP – Policy, Process, People Innovative audit/forensic techniques
  • 32.
    Thank you! Questions /Queries K. K. MOOKHEY kkmookhey@niiconsulting.com NETWORK INTELLIGENCE INDIA PVT. LTD. www.niiconsulting.com