VIF Cyber Review: November 2022
Anurag Sharma, Associate Fellow, VIF

NATIONAL

All-India Institute of Medical Science (Delhi) witnessed cyber incident.

The All-India Institute of Medical Sciences (AIIMS), Bharat’s premier medical institution and hospital, experienced a cyber-attack on November 23, 2022. Reportedly, a ransomware targeted hospital systems for both inpatients and outpatients, including the smart lab, billing, report creation, and appointment portal. “Today (23 November) the National Informatics Centre’s (NIC) ‘e-Hospital’ server used at the AIIMS (Delhi) was down. Due to this outpatient and inpatient digital hospital services, including smart lab, billing, report generation, appointment scheduling, etc., have been affected. All these services are running in a manual mode currently,” read the statement issued by the AIIMS administration on the same evening.

According to a cyber security intelligence firm— CloudSEK, “after the United States, Bharat recorded the second highest number of cyber-attacks on the healthcare industry with a total of 7.7 per cent of the attacks in 2021. The cyber incidents targeting Bharat’s healthcare sector compromised over 71 lakh data records.”[1] During first week of December, the data was fully restored, and all affected services started working efficiently, according to an official requesting an anonymity.

MeitY invited feedback on the draft ‘Digital Personal Data Protection Bill 2022’.

The Ministry of Electronics and Information Technology (MeitY) has formulated a draft bill— ‘Digital Personal Data Protection Bill 2022’. The draft bill’s purpose is to provide for the processing of digital personal data in a way that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, as well as matters related to or incidental to those purposes. The bill defines netizens’ (Digital Nagriks’) rights and duties, as well as the Data Fiduciary’s obligation to use collected data lawfully.

The Bill will lay the groundwork for Bharat's comprehensive legal framework governing digital personal data protection. The Bill addresses the processing of digital personal data in a way that recognises individuals’ right to personal data protection, societal rights, and the need to process personal data for lawful purposes.

The MeitY requested public suggestions and feedback on the draft bill. The feedback on the draft bill in a chapter wise manner may be submitted on https://innovateindia.mygov.in/digital-data-protection/ by December 17, 2022.[2]

Bharat to Chair the Global Partnership on Artificial Intelligence for 2023.

On 21 November 2022, Bharat presided as the Chair of the Global Partnership on Artificial Intelligence (GPAI), an international initiative to support responsible and human-centric development and use of AI. Rajeev Chandrasekhar, the Minister of State (MoS) for Electronics & Information Technology and Skill Development & Entrepreneurship, virtually represented Bharat at the GPAI meeting in Tokyo, Japan, for the symbolic takeover from France, which is the outgoing Council Chair.

“We will work in close cooperation with member states to put in place a framework around which the power of Artificial Intelligence can be exploited for the good of the citizens and consumers across the globe- and ensure that there are adequate guardrails to prevent misuse and user harm,” said MoS Chandrasekhar. In order to promote the creation of a trusted ecosystem of applications for citizens and the wider public, Bharat is committed to using AI effectively. AI is anticipated to contribute USD 967 billion to the Bharat’s economy by 2035 and USD 450–500 billion to the country’s GDP by 2025, or 10 per cent of the USD 05 trillion GDP objective.

The United States, the United Kingdom, the European Union, Australia, Canada, France, Germany, Italy, Japan, Mexico, New Zealand, the Republic of Korea, and Singapore are among the 25 nations that make up the GPAI. Bharat became a founder member of the organisation in the year 2020. The GPAI is an innovative effort to develop a deeper grasp of the difficulties and potential associated with AI. To guide the responsible development and use of AI that is based on human rights, inclusiveness, diversity, creativity, and economic growth, it collaborates with partners and international organisations as well as experts from business, civil society, governments, and academia.[3]

Tata Communications extended its partnership with UAE’s Intertec Systems to offer ‘managed security services’ in the region.

On 28 November 2022, Bharat’s Tata Communications International Pte Ltd and System Integrator (SI) Intertec Systems, based in the United Arab Emirates (UAE), extended their partnership where Tata Communications provides managed services in the region. As per the extended agreement, Tata Communications has established a Cyber Security Operations Centre (CSOC) and managed security services to strengthen the cyber defence of several enterprises in the region.

“The CSOC provides managed security services bundled with cyber-threat intelligence to secure the enterprises’ mission-critical information, offering world-class insights to help safeguard and protect their business,” read the joint statement released by both companies. The CSOC will enhance security incident detection and lessen the serious effects of cyber-attacks, including monetary losses and reputational harm. Tata Communications will offer real-time analytics with cutting-edge intelligence as part of the managed SOC services; these analytics will make use of automation and information enrichment and be continuously monitored.[4]

INTERNATIONAL

US hosted the ‘2nd International Counter Ransomware Initiative Summit

From 31 October to 01 November 2022, the United States brought together 36 nations, and the European Union (EU), for the second International Counter Ransomware Initiative (CRI) Summit. The summit’s objective was to discuss, develop concrete and cooperative actions to counter the spread and adverse impact of Ransomware worldwide. Over the recent years, the CRI placed efforts to increase the resilience of all CRI partners, disrupt cyber criminals, counter illegal finance, build private sector relationships, and cooperate globally to address the challenge of Ransomware. The CRI comprises of five Working Groups (WGs)— i) Resilience (co-led by Bharat and Lithuania), ii) Disruption (led by Australia), iii) Counter-Illicit Finance (led by the United Kingdom and Singapore), iv) Public-Private Partnership (led by Spain), and v) Diplomacy (led by Germany).[5]

Interpol recovered USD 130 million from cyber criminals in Global “HAECHI-III” crackdown ops.

Interpol, dubbed HAECHI-III, occurred between 28 June and 23 November 2022, resulting in the arrest of 975 people and the closure of over 1600 cases. Another case involved a call centre scam based in Bharat, in which a group of criminals impersonated Interpol and Europol officers in order to dupe victims in Austria into transferring funds. The call centres were located in New Delhi and Noida.

The fraudsters informed the victims that their "identities were stolen and crime pertaining to narcotics drugs were committed in their names. To clear their names, the victims were forced to transfer their assets/money to a trust account via bank transfers, crypto wallets, gift card codes, or voucher codes,” read the statement released by the Interpol.[6]

US Senate tightened restrictions on Chinese semiconductors.

The Democratic leader in the US Senate submitted a request to members on 28 November 2022, asking them to support his proposal to forbid the US government from doing business with firms that use semiconductors supplied by companies the Pentagon views as Chinese military contractors. “If American business wants the federal government to buy their products or services, they shouldn't be using the kind of Chinese-made chips that, because of Chinese government involvement, put our national security at risk. We need our government and our economy to rely on chips made right here in America,” told US Senator Chuck Schumer in his remarks opening the Senate after its Thanksgiving holiday recess.

The proposal was presented by Senator Schumer and Senator (Republican) John Cornyn as an amendment to the National Defense Authorization Act (NDAA), a yearly law that establishes policies for the Department of Defense (DoD). Because it decides everything from the purchases of ships and planes to pay increases for the troops and how to manage geopolitical challenges, the NDAA is widely watched by a wide range of industry and other interests.[7]

Irish regulators fined Facebook’s Meta with €265 million in privacy case.

On 28 November 2022, the Irish regulators fined Meta with € 265 million (approximately USD 277 million) for breaching the European Union data privacy rules. According to the Data Protection Commission, Meta breached the General Data Protection Regulation (GDPR) which require technical and organisational measures aimed at protecting users’ data.

In 2021, the Irish regulators opened an investigation regarding a development in which data of more than 533 million users was found ‘dumped’ online. The personal data included, names, Facebook IDs, phone numbers, locations, birth dates and e-mail addresses of people from more than 100 nations. According to Meta, the data was scrapped from Facebook using tools designed to help people find their friends through phone numbers using ‘search’ and ‘import contacts’ feature. The investigation was performed on scrapping carried out between May 2018 to September 2019. In September, the Irish regulators fined Instagram (another Meta-owned social networking platform) of € 405 million. [8]

Medibank-incident hackers leaked health data on dark web.

In mid-October 2022, Medibank announced it had experienced a cyber-incident. On October 12, 2022, the private health insurer informed its stakeholders that Medibank had been the victim of a cyber-incident. On 19 October, Medibank released a statement stating that it has received a message from cyber attackers that "wishes to negotiate with the company regarding their alleged removal of customer data". The hackers threatened to release private medical information of high-profile Australians if a ransom was not paid. On 07 November 2022, a statement from Medibank informed that criminal have access the personal data information of around 9.7 million people.[9] The data included details on chronic conditions such as heart disease, as well as the patient details of people with cancer, dementia, mental health conditions and infections.[10]

Endnotes :

[1]Dabhade, Aishwarya. “AIIMS cyberattack exposes the vulnerability of Indian healthcare”, Moneycontrol, 25 November 2022, accessed on 09 December 2022, available from: https://www.moneycontrol.com/news/india/aiims-cyberattack-exposes-the-vulnerability-of-indian-healthcare-9599771.html
[2] “MeitY invites feedback on the draft ‘Digital Personal Data Protection Bill 2022”, Ministry of Electronics and IT, 18 November 2022, accessed on 09 December 2022, available from: https://pib.gov.in/PressReleasePage.aspx?PRID=1877030
[3] “India takes over as Council Chair of Global Partnership on AI (GPAI)”, Ministry of Electronics and Information Technology, 21 November 2022, accessed on 10 December 2022, available from: https://www.pib.gov.in/PressReleasePage.aspx?PRID=1877739
[4] “Tata Communications, Intertec expand partnership to offer managed security services in UAE”, Economic Times, 28 November 2022, accessed on 10 December 2022, available from: https://telecom.economictimes.indiatimes.com/news/tata-communications-intertec-expand-partnership-to-offer-managed-security-services-in-uae/95828665
[5] “Fact sheet: the second international Counter Ransomware Initiative Summit”, The White House- United States, 01 November 2022, accessed on 09 December 2022, available from: https://www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/fact-sheet-the-second-international-counter-ransomware-initiative-summit/
[6] “Cyber-enabled financial crime: USD 130 million intercepted in global INTERPOL police operation”, Interpol, 24 November 2022, available from: https://www.interpol.int/en/News-and-Events/News/m 2022/Cyber-enabled-financial-crime-USD-130-million-intercepted-in-global-INTERPOL-police-operation
[7]Zengerle, Patricia. “US Senate eyes tightened restrictions on Chinese semiconductors”, Economic Times, 29 November 2022, accessed on 09 December 2022, available from: https://telecom.economictimes.indiatimes.com/news/u-s-senate-eyes-tightened-restrictions-on-chinese-semiconductors/95842071
[8]Associated Press, “Irish watchdog fines Meta € 265 million in latest privacy case”, Deccan Herald, 28 November 2022. Accessed on 10 December 2022, available from: https://www.deccanherald.com/business/business-news/irish-watchdog-fines-meta-265-million-euros-in-latest-privacy-case-1166531.html
[9] “Medibank cyber-crime update”, The Guardian, 28 November 2022, available from: https://www.theguardian.com/technology/2022/nov/29/is-it-worth-taking-out-personal-cyber-insurance-in-case-you-are-caught-up-in-a-data-hack
[10]McGown, Michael. “Medibank hackers release 1,500 more patient records on dark web, including mental health data”, The Guardian, 20 November 2022, accessed on 12 December 2022, available from: https://www.theguardian.com/australia-news/2022/nov/20/medibank-hackers-release-1500-more-patient-records-on-dark-web-including-mental-health-data

Contact Us