Further to the brief report on the FIR reportedly filed by Adarsh Builders on AWS India ,
AWS has responded through their public relations representative from “publicisconsultants-asia.com” as follows:
“The claims against AWS in a recent news report are false. AWS operated as designed and is not responsible for the deletion of Adarsh Developers’ data.” – AWS spokesperson.
I have sought clarification on whether this is a counter accusation that Adarsh Builders have filed a “False FIR” in which case it will also be a threat that counter action may be launched against them or is it to be interpreted as “The allegations made in the FIR by the complainant are denied”.
I am expecting the reply.
The FIR also mentions Redington Group , Bengaluru as A2. I invite response from them.
I have also sought a response from Adarsh Builders and awaiting their reply.
Some of the key information in the FIR state:
“In May 2023, Saidalawi Safan, a business development representative from AWS, contacted the firm and insisted on using their cloud storage servers to ensure retrieval of data even in the events of cyber terrorism or act of sabotage or other events like lightning, earthquake, cyclone, flood, storms, etc,”
“Believing such assurance, in December 2023, the company procured cloud storage facilities with AWS through SAP implementation partner M/s SAVIC Technologies Pvt Ltd, Mumbai. The work order was issued to them to shift the company’s data from the earlier cloud storage facility to the AWS and also to maintain the data securely for three years until November 2027. The payment was agreed for Rs 88,59,924, including GST”
” On January 9, due to the actions of a few individuals at Redington and AWS teams, there has been a data loss”. (We were) further told that employees at Redington Group have entered into our storage area at the root level and deleted our account completely. This event has resulted in the loss of over six years of business data causing substantial financial and operational loss to the company. The deletion of SAP S/4HANA (a business suite used to manage data) has brought the business functions/operations to a complete halt and the vital financial records, supply chain data, customer information, and operational insights accumulated over years are now inaccessible”
Adarsh Builders has stated that they have recovered part of the data deleted and are trying to build the data of customers manually. However a “Personal Data Breach has occurred” and the firm should have reported the breach to CERT In. AWS, Redington as well as Savic Technologies also need to separately file their own breach reports to CERT In. Hope all of them are aware of the Indian data breach requirements.
Being a high profile incident the investigation and the subsequent developments in this case is likely to define the responsibilities of cloud service providers who in most cases are considered as sub contractors of companies. However due to the size of the international organizations like AWS, Azure or Google Cloud, the users take the service contracts on a “As is where is basis” as a “Dotted Line Contract”.
The law in India classifies such contracts as “Unconscionable Contracts” and the onerous conditions are likely to be struck down in a Court of law.
We therefore look at how this case develops in the DPDPA era which is a continuation of the ITA 2000 (Section 43A) regime.
Naavi.org will be leading a discussion on “Obligations and Duties of Cloud Service users and providers” in a knowledge session discussion today at 7.00 pm. This will be open to a limited number of participants on registration and confirmation of registration.
Registration request can be sent here:
https://us02web.zoom.us/meeting/register/CIy9qD-YSBK0o1Bj6_D-nQ
Naavi
Also Refer:
