There was a breaking news about details of 2 crore users by Big Basket put for sale on Dark Web.

It was revealed by one cyber intelligence firm Cyble, that BigBasket has leaked sensitive data such as full names, email IDs, password hashes, contact numbers, addresses, and more on the dark web. Adding to the woes of BigBasket, a hacker has put the data on sale for around Rs 30 lakh.

What is Dark Web?

Oxford Dictionary defines Dark Web as under:

the part of the World Wide Web that you can only get access to with special software, allowing users and website owners to remain secret, used especially for criminal activities

Lexico Defines Term as:

The part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.

Cambridge Dictionary says : parts of the internet that are encrypted (= use a secret code), that cannot be found using ordinary search engines, and that are sometimes used for criminal activity:

The dark web can provide a haven for extremist groups to exchange ideas.

For example:

Sale of Drugs

Sale of Data illegally

Dark web was point of discussion in Sushant Case in India.

Sale of illegal weapon

Now let us see what law says regarding data breach in India

Information and Technology Act,2000 provides as under: The said provision was inserted in 2009

[84A. Modes or methods for encryption.–The Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption.

84B. Punishment for abetment of offences.–Whoever abets any offence shall, if the act abetted is committed in consequence of the abetment, and no express provision is made by this Act for the punishment of such abetment, be punished with the punishment provided for the offence under this Act.

Explanation.–An act or offence is said to be committed in consequence of abetment, when it is committed in consequence of the instigation, or in pursuance of the conspiracy, or with the aid which constitutes the abetment.

84C. Punishment for attempt to commit offences.–Whoever attempts to commit an offence punishable by this Act or causes such an offence to be committed, and in such an attempt does any act towards the commission of the offence, shall, where no express provision is made for the punishment of such attempt, be punished with imprisonment of any description provided for the offence, for a term which may extend to one-half of the longest term of imprisonment provided for that offence, or with such fine as is provided for the offence, or with both.]

85. Offences by companies.–

(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder is a company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: Provided that nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention.

 (2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made thereunder has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly.

Explanation.–For the purposes of this section,–

  • company means any body corporate and includes a firm or other association of individuals; and
  • director, in relation to a firm, means a partner in the firm

Right to Privacy:

 This was decided by 9 Judges Bench of Supreme Court in Justice K.S. Puttuswamy vs.UOI it was held that, “ The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution.”

Information and Technology Act,2000

72. Penalty for Breach of confidentiality and privacy.–Save as otherwise provided in this Act or any other law for the time being in force, if any person who, in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder, has secured access to any electronic record, book, register, correspondence, information, document or other material without the consent of the person concerned discloses such electronic record, book, register, correspondence, information, document or other material to any other person shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

Data Breach Laws in India:

India does not have at present Data Protection Act but Draft Bill is prepared and is pending for debate and approval.

Section 3 (30) of the said Bill says that,

“Personal data breach” means any unauthorised or accidental disclosure, acquisition, sharing, use, alteration, destruction, loss of access to, of personal data that compromises the confidentiality, integrity or availability of personal data to a data principal;

Section 32 of the said draft Bill provides that,

32. Personal Data Breach.— (1) The data fiduciary shall notify the Authority of any personal data breach relating to any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.

(2) The notification referred to in sub-section (1) shall include the following particulars— (a) nature of personal data which is the subject matter of the breach; (b) number of data principals affected by the breach; (c) possible consequences of the breach; and (d) measures being taken by the data fiduciary to remedy the breach.

(3) The notification referred to in sub-section (1) shall be made by the data fiduciary to the Authority as soon as possible and not later than the time period specified by the Authority, following the breach after accounting for any time that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm.

 (4) Where it is not possible to provide all the information as set out in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without undue delay.

(5) Upon receipt of notification, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.

(6) The Authority, may in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website.

(7) The Authority may, in addition, also post the details of the personal data breach on its own website.

Chapter X provides for establishment of Data Protection Authority

Chapter XI Section 69 of the draft Bill provides that, Where the data fiduciary contravenes any of the following provisions, it shall be liable to a penalty which may extend up to five crore rupees or two per cent of its total worldwide turnover of the preceding financial year, whichever is higher, as applicable

70. Penalty for failure to comply with data principal requests under Chapter VI.— Where, any data fiduciary, without any reasonable explanation, fails to comply with any request made by a data principal under Chapter VI of this Act, such data fiduciary shall be liable to a penalty of five thousand rupees for each day during which such default continues, subject to a maximum of ten lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.

71. Penalty for failure to furnish report, returns, information, etc.— If any data fiduciary, who is required under this Act, or rules prescribed or regulations specified thereunder, to furnish any report, return or information to the Authority, fails to furnish the same, then such data fiduciary shall be liable to penalty which shall be ten thousand rupees for each day during which such default continues, subject to a maximum of twenty lakh rupees in case of significant data fiduciaries and five lakh rupees in other cases.

72. Penalty for failure to comply with direction or order issued by the Authority.— If any data fiduciary or data processor fails to comply with any direction issued by the Authority under section 62or order issued by the Authority under section 65,as applicable, such data fiduciary or data processor shall be liable to a penalty which, in case of a data fiduciary may extend to twenty thousand rupees for each day during which such default continues, subject to a maximum of two crore rupees, and in case of a data processor may extend to five thousand rupees for each day during which such default continues, subject to a maximum of fifty lakh rupees.

73. Penalty for contravention where no separate penalty has been provided.— Where any person fails to comply with any provision of this Act, or rules prescribed or regulations specified thereunder as applicable to such person, for which no separate penalty has been provided, then such person shall be liable to a penalty subject to a maximum of one crore rupees in case of significant data fiduciaries, and a maximum of twenty five lakh rupees in all other cases.

Now let us study criminal provision under Indian Penal Code

Section 466 is forgery, which includes forgery of data register of Computer. And provides for punishment It says,[Whoever forges a document or an electronic record], purporting to be a record or proceed­ing of or in a Court of Justice, or a register of birth, baptism, marriage or burial, or a register kept by a public servant as such, or a certificate or document purporting to be made by a public servant in his official capacity, or an authority to institute or defend a suit, or to take any proceedings therein, or to confess judgment, or a power of attorney, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine. 1[Explanation.—For the purposes of this section, “register” includes any list, data or record of any entries maintained in the electronic form as defined in clause (r) of sub-section (1) of section 2 of the Information Technology Act, 2000.]

468 Forgery for purpose of cheating.—Whoever commits forgery, intending that the [document or electronic record forged] shall be used for the purpose of cheating, shall be punished with imprisonment of either de­scription for a term which may extend to seven years, and shall also be liable to fine.

469. Forgery for purpose of harming reputation.—Whoever commits forgery, [intending that the document or electronic record forged] shall harm the repu­tation of any party, or knowing that it is likely to be used for that purpose, shall be punished with imprisonment of either description for a term which may extend to three years, and shall also be liable to fine.

470. Forged [document or electronic record].—A false [document or electronic record] made wholly or in part by forgery is designated “a forged [document or electronic record]”.

471. Using as genuine a forged [document or electronic record].—Whoever fraudulently or dishonestly uses as genuine any [document or electronic record] which he knows or has reason to believe to be a forged [document or electronic record], shall be punished in the same manner as if he had forged such [document or electronic record]

411. Dishonestly receiving stolen property.—Whoever dishonestly receives or retains any stolen property, knowing or having reason to believe the same to be stolen property, shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both.

Judgements on Data theft in India

Tony Enterprise vs RBI- Kerala High Court

Data theft in Cyber Law means stealing another person’s confidential or personal information without his consent or authority. The online banking service of a customer is linked with his email and mobile number.

Devendra Rameshchandra Jain vs The State Of Maharashtra

during continuation of employment with Grind Master Machines, under active connivance with applicant, had committed theft of the technology by transmitting drawings and quotations of the company through his personal email committed theft of data relating to the said company which was stored in its system

following questions referred to the Larger Bench :-

1) Whether Section 43 read with Section 66 of I.T. Act covers the cases :-

a) Involving the obtaining of permission, by cheating the owner or any other person, who is in-charge of computer, computer system or computer network, and thereby induced the owner or person in charge of the computer, computer system or computer network for doing the act enumerated in Section 43 of the I.T. Act ?

b) The expression fraudulently or dishonestly covers the cases in which permission is obtained from the owner or person who is in-charge of computer or computer system or computer network by cheating him ?

c) Whether Section 72 of the I.T. Act covers all the ingredients of Sections 406, 408, 409 of the Indian Penal Code especially cases in which access is secured dishonestly to any electronic correspondence, information, document or other material and the said electronic record correspondence, information, document or material in misappropriated or converted for one’s own use ?

d) Whether the acts done under Sections 43 or 72 of the I.T. Act cover the criminal acts done with common intention ?

This matter awaits hearing and Judgment.

Hacking Laws :

Hacking laws are provided in IT Act,2000 and IPC Section 43 provides for Penalty and compensation for damage to computer, computer system, etc and Section 66 provides for computer related offences.–If any person, dishonestly or fraudulently, does any act referred to in section 43, he shall be punishable with imprisonment for a term which may extend to three years or with fine which may extend to five lakh rupees or with both.

Section 378 of IPC provides for Theft.—Whoever, intending to take dishonestly any moveable property out of the possession of any person without that per­son’s consent, moves that property in order to such taking, is said to commit theft.

Section 379 provides for Punishment for theft.—Whoever commits theft shall be pun­ished with imprisonment of either description for a term which may extend to three years, or with fine, or with both.

Whether offenses under Cyber Crime read with IPC and IT Act,200 are bailable and compoundable ?

Most of  cyber-crimes under the IPC are bailable other than offenses under section , section 378 (theft), section 409(criminal breach of trust by public servant, or by banker, merchant or agent)411 (dishonestly receiving stolen property); section 420 (cheating and dishonestly inducing delivery of property), section 468 (forgery for the purpose of cheating)which are non-bailable.

India needs strict Cyber Laws for hacking and .

Shruti Desai

9th November,2020