Twitter has locked access to the Free Software Movement of India’s (FSMI) account after the social networking giant said it had found that the account “violated” the company’s policy of “posting private information”. It was done in relation to FSMI posting about the alleged BigBasket data breach in November last year. However, FSMI has reiterated it had not put out any private information.
Kiran Chandra, General Secretary, FSMI, told Newsclick that Twitter’s behaviour “is of serious concern.” While the contents of the account are visible, the particular tweet in question is blocked. “We have decided not to delete the tweet since there is nothing private in it. We have gone for an appeal but even after that it does not let you in. We are not able to access the account right now,” he said.
FSMI is a coalition of regional and sectoral free software movements from different parts of India.
Twitter has locked out @fsmi_in's account for publishing our letter to grievance officer @IndianCERT about data breach incident involving bigbasket. We did not publish any personal information and demand immediate restoration of the account. @fsmi_in @TwitterIndia pic.twitter.com/yMtZBCd8fH
— kiranchandra (@kiranychandra) March 30, 2021
“Even when one goes for an appeal – while it is still blocking that particular tweet – it is not allowing us to access the account. The thing is that it is anyway blocking the tweet. Even after we have gone for an appeal the account is locked. How can Twitter do these things unilaterally?” he asked.
“The least it could do is tell us what private information has been shared. Without intimating us it goes ahead and blocks the tweet and locks the account,” added Chandra.
In a letter to the Indian Computer Emergency Response Team (CERT) on November 11, 2020, FSMI had flagged the alleged data leak of nearly two crore users from online shopping platform BigBasket.
The data, leaked on the dark web, included names, email IDs, contact numbers, pin, full addresses, IP addresses of login, password hashes etc. The dark web is a part of the internet which is encrypted and is inaccessible through conventional means like indexed search engines. The data breach, which is said to have happened on October 14 last year, made users’ data available for sale for about Rs 30 lakh.
“The letter was written to the public grievance officer as per norms. The officer’s name is available for public consumption by the Government of India website and the other information is the email ID which is also public information. There is nothing private there and the data breach is public knowledge,” Chandra clarified.
Public Grievance Officer Ajay Lakra’s name is indeed available on the CERT website with the timeline for grievance redressal.
“We are asking about due process which the government is obligated to follow. We want to know what is happening with our data since we are people who understand these kinds of issues and the sensitivity of our data,” added Chandra.
The alleged leak of user data had surfaced in November last year. “In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others,” US cybersecurity firm Cyble had said.
On November 6 BigBasket filed a complaint at the cyber crime cell of Bengaluru and had said it was evaluating the extent of the breach. In a statement it had said the privacy of its customers was a priority and that the platform does not store financial data of its users and was confident that the financial data was secure, according to PTI.
In its letter to CERT on November 11, FSMI referred to the cyber crime complaint, adding that “we request you to also initiate an investigation into this incident and update citizens on what has transpired at BigBasket. As Public Grievance Officer, we hope you will provide us a redressal to this incident under Section 43 A of IT Act. We are hoping you would carry out this exercise expeditiously and provide us a copy of the investigation. Kindly confirm receipt of this letter within 2 days as per your citizen’s charter and a detailed redressal for the grievance in a month’s time.”
On December 12, FSMI followed up on its request, mentioning that it had been over a month since its letter and that India’s CERT had not sent any “acknowledgement or response”. It had added that CERT was obliged to acknowledge its complaint in two days time and resolve it in 30 days under its citizen’s charter.
According to a blogpost by US-based cybersecurity firm Cyble, the “cyber-attack on BigBasket was conducted by an infamous organised hacking group namely – ‘ShinyHunters’.” The firm also put out a timeline of events, mentioning that the alleged leak happened on October 14, 2020, that Cyble had detected it on October 30 and informed BigBasket on November 1.
However, in its post, Cyble had claimed that the police complaint in Bengaluru was filed against it, and accused BigBasket of “shooting the messenger”. “We see this allegation as a desperate attempt to erode our reputation and credibility by certain nefarious and malicious entities (such as paid / incompetent media outlets). The fact is – we found the breach, we provided the intelligence related to the breach to their team (with no obligation), we disclosed the breach responsibly with clear timelines from our side and never demanded any payments (proof available), we waited for them to disclose the breach (which they haven’t made to-date). The third-party media reports have failed to validate any of the claims made by BigBasket in their alleged complaint,” the cybersecurity firm had said.
“Basically it is not just shooting the messenger but also those who ask what the status of the case is. The ideal thing for the government agency is to respond.
Twitter will have to come out and say what forced them to take such a step,” added Chandra.
The incident comes at a time when hackers leaked data like mobile phone numbers, bank account details, email, and credit card numbers of 9.9 crore Indians, allegedly Mobikwik users, which the digital payments company has denied. The disclosure about the data leak was made by cyber security analyst Rajashekhar Rajaharia who has also written to the Reserve Bank of India, CERT, PCI Standards and payment technology firms etc.
“CERT should start taking its responsibility seriously and investigate all these data leaks. At a time when public data is going for a toss, CERT can’t sit idle,” said Chandra.
Full Disclosure: Newsclick’s Editor-in-Chief Prabir Purkayastha is the President of FSMI.
With PTI inputs