Who let the data out? 8K BBMP tax receipts online
As the receipts were not public documents, the BBMP should put in place security controls, like captcha or passwords, to ensure that no one can download multiple receipts.
The receipts contain the payees’ full names, the addresses of their properties, their zone classification, and the tax paid on the properties. ET is in possession of the 7,740 receipts that were uploaded. BBMP, however, refuses to term it a data breach, saying all receipts are in public domain anyway. Cyber security experts, however, have raised concerns.
The civic body’s commissioner, Manjunath Prasad, said anyone can download any number of receipts of taxpayers by entering random property tax numbers, and that this facility has been available since 2008. “Whoever has uploaded the data would have entered property IDs and downloaded the forms. But there is no advantage to anyone in obtaining these receipts,” he said.
Apparently, the receipts were not protected by an OTP or password in the interest of keeping the process simple. Seshadri T, advisor, IT Cell, BBMP, said no breach had taken place from the BBMP’s systems.
Bikash Barai, cofounder of FireCompass, a cyber security company that monitors global internet for breach-related risks, thinks otherwise. Hackers could misuse such data for “social engineering,” ie, fraud targeted at users. “For example, fraudsters can pose as government officials over the phone, use this data as validation and then demand money,” Barai said.
Such incidents, he believes, should be treated as an indicator that we need to enhance our security systems. As the receipts were not public documents, the BBMP should put in place security controls, like captcha or passwords, to ensure that no one can download multiple receipts.
BBMP officials said the system for download of receipts is managed by the National Information Commission (NIC). NIC technical director R Venkatesh said the servers used are placed at the state data centre, Centre for e-Governance, and the breach could have either occurred from there or from the BBMP’s GIS-enabled property tax information system (GEPTIS), a BBMP internal portal that provides mapping of all properties within BBMP jurisdiction.
CEO of the Centre for e-Governance Sunil Pawar said there had been no breach of servers at the state data centre. “There are hourly logs available so if some breach happens, we will immediately get to know. But a breach can happen from anywhere and if it is brought to our knowledge by the officials, we can check its source,” he said.
J Prasanna, director of Singapore-based Cyber Security and Privacy Foundation, said databases of such receipts containing personal details are sometimes sold by cyber criminals on the dark web. “This particular data looks like a sample, ie, a part of the entire database. The criminal often shares such samples with prospective buyers, who then decide if they want to purchase it,” he said.
Any corporate firm that gives out personally identifiable information of any employee or customer is liable for up to three years’ imprisonment under a provision of the IT Act.