New Delhi Indian government’s latest set of cyber security rules, which were notified by the Ministry of Electronics and Information Technology (Meity) on April 28, could lead to more loss of data of Indian citizens for cyber breaches – a take on the matter According to the report Dutch Virtual Private Network (VPN) service provider, Surfshark. The latter said in its report that over the past 18 years, more than 250 million usernames and passwords belonging to Indian users have been breached online, making India the sixth most violated country worldwide in terms of cyber incidents Is.
Before the establishment of the latest cyber regulations in the country, Surfshark was one of the many VPN service providers available to Indian users. Under these new rules, any company operating in India has been asked to notify the government of any cyber breach of any form – within six hours of realizing it itself. The rules also require companies that operate cryptocurrency wallets and VPNs to maintain user logs for a period of five years.
In response to these regulations, VPN providers have expressed their opposition, saying that the logging and storage of user data goes against one of the main purposes of using a VPN – privacy. On June 8, Surfshark announced that it would be shutting down its physical servers in India, in the face of new legislation in the country. Fellow VPN providers, NordVPN and ExpressVPN, had already announced their intention to suspend services in the country unless the data collection provision was repealed under the new certificate-in directive.
The new rules have come into effect from June 28 this month.
According to Surfshark, these rules could create the potential for even more data breaches in India. The company claimed in its study that 18 out of every 100 Indians have already faced some kind of cyber breach since the first cyber breach was reported in the world in 2004. It further said that along with the data collection directive of CERT-In, India also needs to mandate the adoption of stringent and sophisticated data protection tools.
Surfshark’s legal head Gytis Malinauskas said in a statement, “Without robust security mechanisms collecting excessive amounts of data in Indian jurisdictions could lead to even more breaches across the country.”
A Surfshark report from December last year said that India saw a 4-fold increase in data breaches in the country in 2021 – a figure that now Surfshark claims could rise exponentially. Incidentally, Malaysian hacktivist group Dragon Force said earlier this month that it aimed to target the Indian government’s IT infrastructure, as a sign of protest against it. The group has since posted images of the database on its Twitter handle, which the group claimed contains email addresses and passwords of individuals associated with government departments.