On 27th February, Angel one became aware of a data breach which it seems to have reported through email to its customers reported a personal data breach and has issued a notification to the data principals probably on March 2. According to one report nearly 8 million users have been affected by the breach.
The data breach is reported to involve unauthorized access to AWS resources. The leak was not discovered by the Company directly and was revealed by the monitoring of the Darkweb by its dark web monitoring partner.
In an official statement, Angel One assured its clients that their securities, funds, and credentials were not affected by the breach. In a sweetly worded notice it stated as follows:
The breach re-ignites the issue of what are the responsibilities of the cloud service providers related to securing the access and monitoring of the data exfiltration.
Just as we expect Bankers to monitor their client’s access to the CBS system through an adaptive authentication system, we should raise a question on why is AWS negligent in placing security measures that should identify the data leak when the exfiltration is happening.
While we expect Angel one to encrypt the data and protect the log in from its side, it is reasonable to expect AWS also to protect its systems from unauthorized access just as we expect banks to monitor the authentication requests.
We should also request MeitY to consider that part of the AWS storage and other cloud service providers which caters to “Significant Data Fiduciaries” (Angel One may be one) should be declared as a “Protected System under Section 70 of ITA 2000” so that it is taken seriously by the cloud service providers.
Such systems may be identified as “DPDPA Compliant Storage Service”. If AWS can provide HIPAA compliant Storage service, it should be capable of providing DPDPA Compliant service also (May be a new revenue generation model for AWS and others).
At present the Angelone website does not contain any prominent notice though the email has been sent to the users.
Under DPDPA compliance we need to discuss if it is not necessary to report the data breach (Recent) as part of the notice for the new customers who may be joining the service.
FDPPI has already recommended that “All Data Breaches recorded since 11th August 2023 may be reported to DPB under the powers of Section 36 of DPDPA 2023 “.. Along with this we must add that “In every notice information on past data breach information upto one year should indicated”
Naavi
