41% in India blame telecom, banking service providers for data breach

Recently, several cases have been reported on various social media platforms where loans have been taken against certain names and PAN cards. In some of these cases, except for the name and the PAN number, all other details like date of birth, picture, father’s name and signature were all found to be fake. By misusing the credentials of the victims, unknown people took loans thereby cheating the victim as well as the company disbursing the loan. One of those victims found out about the loan taken through their credit report by chance which reflected the loan they have defaulted upon. Another victim reported how the collection agencies came to their residence to collect the payment for a loan they did not take. Chances are this is happening against many pan cardholders, catching them unaware, and the root cause of this likely is that the personal data of citizens is being breached by entities or their employees with whom people have shared it.

Citizens in most cases are required to share their personal data along with documents, such as PAN and Aadhaar cards, and even banking details, for a myriad of activities from applying for a debit/credit card to getting a SIM card, purchasing loans and policies and filing a claim, to when taking hospital admission, and while travelling, using an electronic wallet service as well as for availing Government services. There are news reports rife in India about almost on an everyday basis about how hackers have tried every method possible to get citizens’ banking details and squeeze a ransom. Millions of citizens’ personal information are being sold, shared, or hacked, without taking the individual’s consent is not new to India’s thriving digital ecosystem.

People had high hopes pinned on the much-awaited implementation of the Personal Data Protection Bill, mainly aimed to put in place tight protection measures and protocols for organisations and the Government bodies gathering and sharing citizens’ data. The bill declares that users who provide data are, in effect, the owners of their data. However, given the concerns of different stakeholders, there is limited hope that this current bill will become a law soon. Per media reports, citing people familiar with the development, the Centre is likely to junk the proposed Personal Data Protection Bill of 2019 in favour of a completely new Privacy Bill.

Taking cognisance of such an important issue, LocalCircles as part of the effort to throw light on citizens’ personal data breach concerns has conducted a survey to understand where all people are sharing their personal financial information with PAN card as an example, along with the entities, citizens hold responsible for compromising their data without their consent. The survey received more than 20,500 responses from citizens residing in 337 districts of India. 66% of the respondents were men while 34% were women. 45% respondents were from tier 1, 32% from tier 2 and 23% respondents were from tier 3, 4 and rural districts.

Majority admit to sharing their pan card details with multiple entities
Citizens were asked, as an example as to who all they have shared their PAN card in the last 10 years and were given multiple options to choose from. In response, 86% of citizens said “banks,” 58% said “mobile service providers” and 54% said “loan or insurance agencies.” Further, 46% of citizens said they have shared their PAN card with “digital payment apps,” 63% share it with ‘government offices” and 60% share it with “chartered accountant/lawyer.” There were also 37% and 30% citizens who shared their pan card with “airlines/hotels, etc” and “all sorts of businesses and people” respectively. This question in the survey received 11,521.

Risk of Personal Data Breach: 41% of those whose personal data was compromised allege it was done by their telecom or banking service providers
The next question in the survey asked citizens, “If your personal data (Pan No, Aadhaar No. Banking Information, Debit/Credit card, address, etc.) was compromised in the last 10 years, who did you find responsible for the breach. In response, 26% of citizens say “mobile or broadband company and its service providers” are responsible for the breach”. There were also 15% who think “bank, debit, credit card or insurance company and their service providers” are responsible, 4% said “hospital and healthcare facilities”, 11% said “travel, shopping and other websites”, and 6% said “Government departments”. 5% said they “gave away the information without checking”, and 33% said “just couldn’t figure out how my data got compromised”. The findings of the poll indicate that 41% of those whose personal data was compromised allege it was done by their telecom or banking service providers. This question in the survey received 8,511 responses. In the case of both banks and telecom providers, most people believe that those providing last-mile services are compromising information. People in the community discussions highlighted how after getting a mobile phone connection, they immediately start getting offers from alternate providers. The same is the case when opening a bank account or registering a business.

In summary, the findings of the survey indicate that the majority of citizens end up sharing their personal financial data like a PAN card with multiple entities like banks, telcos, loan or insurance agencies, digital payment apps, hotels and airlines, government offices, etc. 41% of citizens whose personal data was compromised allege that it was done by their telecom or banking service providers while 33% couldn’t figure out how their data got compromised. The findings indicate that the problem of personal data breach may be much larger in magnitude and the majority aren’t even aware that their personal data has been breached. The Personal Data Protection Bill had proposed penalties for such data breach and proposed a data regulator to handle all complaints. However, it is yet to get approved by the Parliament, and that bill may not see the light of the day in its current form immediately. That said the question that the Government and lawmakers need to ask themselves is should a new Bill that focuses just on personal data breach be brought in so at least this menace of data theft can be controlled. Alternatively, the current Bill may be broken with one including provisions for personal data breach and penalties and a follow-on amendment that defines access by Government and other agencies.

Survey demographics
The survey received more than 20,500 responses from citizens residing in 337 districts of India. 66% of the respondents were men while 34% were women. 45% respondents were from tier 1, 32% from tier 2 and 23% respondents were from tier 3, 4 and rural districts. The survey was conducted via LocalCircles platform and all participants are validated citizens who had to be registered with LocalCircles to participate in this survey.

CT Bureau