Close on the heels of a data hack at Facebook and MobiKwik, LinkedIn faced a massive breach wherein details of over 500 million users have been scraped from the platform and posted online for sale on a popular hacker forum.
The dataset includes sensitive information such as email addresses, phone numbers, workplace details, full names, gender, account IDs, and links to users’ other social media accounts.
While the Microsoft-owned professional networking platform said there was no data breach, it acknowledged that the data available include publicly viewable member profiles “that appear to have been scraped from LinkedIn.”
“We have investigated an alleged set of LinkedIn data that have been posted for sale and have determined that it is actually an aggregation of data from a number of websites and companies. It does include publicly viewable member profile data that appear to have been scraped from LinkedIn,” LinkedIn said in a statement
But experts said that the recent spate of massive data breaches at LinkedIn, Facebook, and MobiKwik is a glaring reminder of how companies should be mandated to immediately inform both the regulators and their users of the leak to ensure users are protected from harm, apart from highlighting the need for a data protection law in India. There is also a need for a substantial data breach reporting requirement in the data protection law, as well as an updated strategy on national cybersecurity, experts said.
None of the companies informed users of the breach.
“Companies are under an obligation — or more generally under data protection (laws) that in practice globally — and also in terms of the human rights impact of their business operations, to let users know when incidents occur that have an impact on their sensitive information and personal data,” Raman Jit Singh Chima, Asia Policy Director and Senior International Counsel at Access Now, told BusinessLine.
“The alarming aspect is not only the fact that the frequency and intensity of such breaches are increasing but also the fact that the entities concerned are obviating reporting such events to the end users as well as the regulators,” said Alok Shende, MD, Ascentius Consulting.
Prasanth Sugathan, legal director, SFLC.in, said that with the user base for online platforms increasing, “we are bound to see more breaches and security incidents. Companies need to up their game and make the platforms secure. Governments should, on the other hand, ensure that the privacy rights of users are protected. The regulatory framework should provide protection for users and minimise chances of harm from such breaches.”
While countries such as Italy have started an investigation into the Linkedin data breach, Delhi is yet to act on this and data breaches at other tech firms.