Air India has made an announcement that it’s Passenger Service System was attacked and personal data of about 45 lakh data subjects have been compromised. The leaked data elements include Name, Data of Birth, Contact Information, Passport information, ticket information, frequent flyer data and also some credit card data (without CVV).
There is no doubt that the leaked data contains sensitive personal information (Section 43A of ITA 2000) and could cause significant harm to the individuals.
It is not clear what has happened to the leaked data. There is no information on any ransom demand. We may however presume that it is available on the dark web.
The data breach might have occurred in the systems of the “Data Processor” which is SITA PSS and Air India is the Data Fiduciary for the data.
More details
Is it an attack to Scuttle Disinvestment?
There is an observation by some professionals that this could be a sabotage connected with scuttling the disinvestment plan. The fact that hackers did not resort to extortion but simply leaked the information gives credence to this conspiracy theory.
Going by the recent developments related to “Tool kit politics” of the political parties it is possible that such political forces may be behind the attack. The motive here is to bring disrepute to anything the Government proposes to do irrespective of whether it is beneficial to the country or not.
China which is suspected to be behind a Bio-Warfare causing the Covid crisis in India is also a suspect since China is an eternal enemy state for India.
Additionally, all those parties who had a stake in scuttling the disinvestment plan should be considered as potential suspects.
The Air India breach should therefore be investigated by CBI to check if there is any involvement of the Toolkit gang or others.
Has it been a blessing in disguise?
It may be the expectation of the attackers that the reputation loss caused by this data breach may significantly reduce the value of the enterprise.
But it is obvious that during the valuation of the organization for the purpose of disinvestment, normally the accountants take the value of land, building, aircrafts and other equipment as the main assets. Probably they could take the net present value of future estimated profits, less accumulated losses etc.
However, it is highly unlikely that the valuers considered the availability of personal data asset including the 45 lakh data sets now revealed. Probably Air India must be having more than 45 lakh data sets in its custody. This had been valued at Zero value so far.
But now suddenly it is a discovery that the company has 45 lakh data sets and there is a huge value attached to it.
What is the value of Data that has been breached?
It is interesting to observe that the PDPSI (Personal Data Protection Standard of India) adopted by FDPPI for PDP-CMS audits includes an implementation specification (IS 6) which states as follows.
6.Data Valuation and Accounting
The organization shall adopt a policy of assigning a financial value to the inventory of data and provide visibility to the data asset in the books of account.
The value of data may be brought into the books based on a scientific valuation method or on a provisional basis and reported as a special reserve or as a Contra entry (both an asset and liability separately)
The Visibility of the valuation of data as an asset shall be extended to both personal and non-personal data.
At present no organization provides for such valuation but it is time professionals start thinking in this direction.
The Institute of Chartered Accountants need to develop an appropriate valuation methodology for the purpose, though the PDPSI requirement would be satisfied by a contra entry and not dependent on specific valuation methodology.
The advantage of bringing the value of personal data to the books of account is to provide the visibility. Had Air India adopted this process, then the management would have realized that they are sitting on a “Data Gold Mine” which could have increased the valuation of the organization.
Even now, there is time for Air India to assign a value to the data which is in its possession which can be updated, and though it no longer remains confidential, it is worth at least its shared value.
The valuation may have to take into account
a) Number of data sets
b) Sensitivity of the data
c) Net Present Value of the data adjusted for time based erosion
d) Real or Opportunity cost of acquisition
Since each of the 45 lakh data sets which have been leaked (and discovered) contains some credit card data also, the value of each data set in the dark web may be estimated to be around $ 1000 each.(Refer Forbes Article)
This means that the value of the 45 lakh data sets is around Rs 31500 crores.
This valuation is a rough indication based on the following article in Forbes. We may debate how much of this data value is diluted since it is available to the hackers either in full or in part. But still the disinvestment value of Air India appears to have increased with this revelation.
But thanks to the discovery, Air India can now modify its valuation upwards.
Simultaneously, it may evaluate the cost of mitigation of the data breach risk and deduct it from its current profit.
Mitigation of the Data Breach Risk
In the meantime professionals can look at other aspects of how a “Data Breach Report” should be prepared by Air India, whether the individuals should be notified etc.
One point of suggestion towards mitigation is that Air India should take a “Group Cyber Insurance Policy” covering liabilities that may arise from ” any loss that may occur to the affected data principals attributable to this leak for a period of say one year”. The cost of such a policy has to be separately negotiated and Air India can call for a tender from the Cyber Insurance agencies. These agencies may make their own assessment of the risk of claims arising in the next one year attributable to this particular data breach and underwrite the risk.
Speaking of the data leak itself, it is possible that the data was unencrypted in storage or there was an insider assistance in the hack. If it is encrypted and the decryption key was not available to the hackers, the loss is not significant.
The data is supposed to have been collected over a period of around 10 years and many of the credit cards would have expired.
This would affect both the valuation of data, the valuation of the risk and the Cyber Insurance Premium.
I invite PDPSI professionals to come up with their views on this breach, the valuation of data and the impact on the disinvestment.
Naavi
