Data Breach in Nepal during COVID 19

Summary
The critical situation of COVID 19 effected in different sectors with various issues and
challenges. The only solution to those issues and challenges were digitalization. Due to
availability of many applications and software users were forced to use them to complete their
work. In this stage everybody were using online platforms to do their work like students had
online classes and the jobs were made online as well. Which lead to the use of those
applications and software. This report is a study done in context of Nepal during COVID 19
where the number of cases of data breach and hacking increased extensively.

Data in technical term represent the series of numbers or sequences of variables which needs
an algorithm or program to be processed and breaching means an incident in which an
unauthorized person steals or takes the access to sensitive, confidential or protected
information from a system. The information may include customer’s data, card details. The
effect of data breach damages the company reputation due to betrayal of trust as well as their
customers may also suffer financial losses. Most data breaches are due to hacking or malware
attacks.

Phases of a Data Breach

 Research: This is the first phase of data breach in which the attacker picks a target and
looks for the weakness in employees, system or network. This phase takes long hour’s
days or year research on the employee or company to find out the infrastructure of the
company.
 Attack: After the attacker finds the weakness of the company, the attacker make the
contact either through social attack or network based attack.
 Exfiltrate: After the success in the attack and the attacker is inside the network, the
attacker can have access to the company’s data which are used for either blackmailing
or sold in dark web.
The hackers blame to the private companies for their negligence in the security whereas the
companies blame to the government for lack of infrastructure and policy. Despite the fact that
there is “Privacy Act” which has been legally adopted in Nepal, the citizens of Nepal have not
been able to understand and adopt its use. Technology is upgraded but when it comes in
securing them organization choose the cheaper option and the system is compromised.
Data Breach is a dynamic topic which has no radical solution except improving the values and
culture of an organization. The problem comes from the security laps and carelessness and
ignorance.
According to Google, “Our systems have detected 18 million malware and phishing Gmail
messages per day related to COVID-19, in addition to more than 240 million COVID-related daily
spam messages. Our machine learning models have evolved to understand and filter these
threats, and we continue to block more than 99.9 percent of spam, phishing and malware from
reaching our users.”

Literature review
Nepal Law commissson
Report on Data breache and privacy in Nepal during COVID 19 by shreedeep
raymajhi
Current Law in Nepal
Privacy Act of Nepal
Chapter-6, Privacy Relating to Data
Article 12 to have privacy of data:
1. Every person shall have the right to keep the personal data or details related to him or
her confidential.
2. While collecting personal or family data of any person, his or her consent shall be
obtained.
3. The data collected by a public body or body corporate upon obtaining the consent of
the concerned person shall be used only for the purpose for which such data have been
collected. Provided that if any data are demanded for the national security or peace
and order, it shall not be deemed to bar to provide such data in accordance with the
prevailing law.
Link: http://www.lawcommission.gov.np/en/archives/20704

Chapter-10 Collection and Protection of Personal Information

Article 25 Protection of collected information:
1. The personal information that has been collected by any public body or remained under
the responsibility or control of such a body shall be protected by such body.
2. For the purpose of sub-section (1), the public body shall have to make appropriate
arrangement against unauthorized access likely to occur to personal information, or
 against the possible risk of unauthorized use, change, disclosure, publication or
transmission of such information.
3. Notwithstanding anything contained elsewhere in this Section, the public body may
disclose or get any personal information disclosed under the prevailing law. Not to use
personal information without consent: (1) Except in the following circumstances, the
personal information collected by or remained under the responsibility or control of a
public body or body corporate shall not be used or given to anyone without the consent
of the concerned person:

a. It has been published or distributed for the purpose of which the personal
information has been collected,
b. If demanded in written form, in the course of investigation or prosecution of a
criminal case, by the official authorized for making such investigation or
prosecution,
c. If an order is made by the court in the course of taking action on a sub-judice
case,
d. If question is to be solved, when it is raised about the qualification or any other
matter of the person, who is holding a public post under the prevailing law,
e. If the authorized official demands for any particular kind of information in
written form, in order to solve the question raised on any particular matter.
Link: https://www.lawcommission.gov.np/en/archives/20694

Report on Data breache and privacy in Nepal during COVID 19 by shreedeep

raymajhi
Link: https://www.slideshare.net/ShreedeepRayamajhi/report-on-data-breach-and-privacy-in-
nepal-during-covid19-by-shreedeep-rayamajhi

Issue Personal Information

Cyber security issue Hacking | Data Breach | Data Privacy
No of victims 50,000
Foodmandu App Hacking

March 8, 2019, Foodmandu, an e-commerce

company providing on-demand food delivery
service across Kathmandu valley encountered
data breach on Saturday night. According to a
statement released by the company on Sunday,
they detected a cyberattack by a hacker which resulted in unauthorized access of customer
data. Names, mailing addresses, email addresses and phone numbers of the users were
exposed to cyber-attack, according to CEO Nidhaan Shrestha. A Twitter handle by the name of
Mr. Mugger revealed the dump of data of 50 thousand Foodmandu users and also disclosed the
link associated with the data. Foodmandu, on the other hand, informed that they fixed the
loophole in their web application immediately after the incident was noticed. They further
stated that they are in regular contact with the Cyber Crime Division and also requested for the
security of the dumped data. Claiming that there is no impact on their commercial operations,
Foodmandu in the statement assured to resolve the issue at the earliest.
Link: https://myrepublica.nagariknetwork.com/news/foodmandu-s-website-hacked-50-
thousandusers-data-dumped/

Vianet Website Hacked

Issue Personal Information

Cyber security issue Hacking | Data Breach | Data Privacy |
No of victims 1,60,000

KATHMANDU, April 9: In yet another breach of customer data, Vianet Communications – one of
the largest internet service providers in Nepal – suffered a 'serious hack' on Wednesday. Data
belonging to more than 160,000 consumers was leaked by a hacker through Twitter. This is the
second such data breach incident in a month. Data of Foodmandu – a popular e-commerce
food delivery service – was breached by hackers exactly a month ago. On Wednesday, data was
leaked by a twitter handle @paapi_kto_mah attaching a link, where the personal data of more
than 160,000 Vianet users was made public. The data included emails, phone numbers and
addresses. “The data of more than 160,000 users has been compromised. We [Vianet] found
out about the situation today [Wednesday] afternoon,” Binay Bohra, managing director of
Vianet Communications, told Republica, adding that the company has already informed the
Cyber Bureau of Nepal Police. The company also informed that hackers had started to dig the
consumer data from Tuesday. “The incident is similar to the hacking of a food delivery company
a month ago. It is not clear the Vianet data was compromised by the same group,” said Bohra,
adding that Vianet is also investigating the incident. Bohra confirmed that personal information
of consumers including phone numbers, addresses and email addresses were made public by
the hackers. “The link shared by the hackers has already been taken down with the help of
Nepal Telecommunications Authority (NTA),” Bohra added. Meanwhile, the company has
accepted that it needs to make the system more powerful to better secure users' information.
A month ago, a Twitter user going by the username Mr Mugger had leaked personal
information of almost 50,000 users of Foodmandu. Meanwhile, the Cyber Bureau of Nepal
Police informed that the company informed about the incident late in the afternoon after
several online portals broke the news. The cyber bureau said police have already started
investigations into the case.
Link: https://myrepublica.nagariknetwork.com/news/hackers-leak-personal-info-of-vianet-
users/
Prabhu Money Transfer Attack

Issue Personal Information

Cyber security issue Hacking | Data Breach | Data Privacy |
No of victims 500

Kathmandu, 10 April, 2020 the story has been repeated again with Prabhu Money Transfer
being victim. A twitter handle Cyber_hell_god today posted a tweet that said:After the warning,
the alleged hacker- as promised tweeted a tweet from a new
twitter id where he has added a link which leads to the data
dump of around 500 users that includes IP address, E-mail
address, name, and phone number. Looking at the user data it
seems those of the money senders and receivers. Such data
breach cases have been increasing day by day. First
Foodmandu, then Vianet communications and now Prabhu
Money Transfer have been the victim. As the alleged hackers
say, these companies need to work on increasing cyber securities. User’s data shouldn’t be
treated useless and stored inside a weak firewall.
Link: https://nepstuff.com/prabhu-money-transfer-user-data-compromised-after-a-leak/

TU engineering Website hacked

Issue Personal Information

Cyber security issue Hacking | Data Breach | Data Privacy |
No of victims 406

April 10, 2020, Kathmandu, Nepal, SATAN (@satan_cyber_god), a twitter sensation hacker has
leaked data of Tribhuwan University Teachers and Staffs. Recently, through a Twitter handle
with username @satan_cyber_god, the hacker made
public the names, departments and email addresses of
teachers of Tribhuvan University and CTEVT. Blood groups
with their designations have also been made public.
The hacker has also warned CTEVT to secure its data. He leaked data of 69 people through
Pastebin. The link to the Pastebin had been shared to Twitter. Although the data of different
departments have been leaked, leaked data contains data from Medicine Department the
most.Earlier, the hacker claimed to have leaked the data of Prabhu Money Transfer under
Prabhu Group as a demo data. The leaked data included 406 people’s data including, Name,
Email Address, Phone Number and IP Address.The same person has also warned Nepali
Congress to secure its system else he’d leak the data along with donations received.
Link: https://ictframe.com/satan-leaked-data-of-tribhuvan-university-teaching-staffs/

The Impact of Covid-19 on National Security of Nepal

According to susma giri The growth in the use of the internet, computer, and other devices
amongst people has, on the one hand, enhanced the efficiency, effectiveness, and capacity of
individuals and institutions whereas on the other hand, the opportunities created in cyberspace
have posed threat resulting to the commission of the crime. Subject-matters that were once
under the national jurisdictions, i.e., political conversations, trade, commerce, social lives, and
national security considerations are now migrating to the scope of ungoverned digital spaces.
Despite its multiple benefits, the online/cyberspace provokes criminal activities, such as
hijacking, spamming, phishing and cybercrimes.
The Government of Nepal does not have updated relevant laws to address the emerging cyber
issues. It also remains without designated expertise both on how to secure their IT systems and
to understand the true extent of the threats. Some threats may be much more substantial than
government officials may anticipate, such as their vulnerability to e-government website hacks.
Other threats that are difficult to quantify due to animosity and ambiguity may lead to a
heightened fear of the unknown impact on social, economic, and cultural aspects of people's
lives. Cybercrime is not something that runs on its own but is impacted due to and by other
aspects of human lives. Therefore, online systems are needed to be made visible in the
planning or strategy of national security. The skills and capabilities of government officials
should be enhanced to make them able to deal with the emerging cyber issues. The cyber
resiliency should be built either through the initiation of government or in cooperation with
private institutions to make the cyber governance stronger.
Link: https:// www.nepjol.info /

Have data breaches become common in Nepal?

HRITIKA SHARMA
With the democratization of technology, cyberspace has become a place where users fall prey
to financial scams, information theft and blackmailing. Instances of personal social media
handles being hacked is also prevalent in Nepal. To hold cyber criminals accountable, the Nepal
Police established a cyber-bureau on June 10, 2018. It is located in Bhotahiti, Kathmandu.
Citizens who reside in the valley pay a visit to the bureau to file a complaint whereas those
residing outside do it via mail or an in-person visit to the local police station. The bureau
receives many cases related to character assassination and defamation mostly through social
media platforms.
Suyash Nepal, a cyber-security engineer at Nepal’s leading cyber security enterprise ThreatNix,
says, “There is still little awareness in the general public about maintaining cyber security.
However, in the corporate world, people are undeniably concerned about their companies'
data security."
Setting an easy and repeated password for multiple online platforms increases the vulnerability
of the person to get their accounts hacked and manipulated against their will. Moreover, the
use of pirated software, hardware or application also plays a major role in increasing one’s
susceptibility to fall victim to invasion of privacy and data theft. Inspector Raj Kumar Khadgi at
the cyber bureau recommends not making one’s social media profile public and consulting the
cyber bureau for help if anything wrong happens. Hiding or deleting one’s account after an
unwanted incident makes the culprit stronger, according to him. However, in the case of
internet service providers who themselves use customer data itself, “ The proper monitoring of
data usage in Nepal lacks, in the case of internet service providers using customer data.” says
Chief Technology Officer of  Cryptogen Nepal, Nirmal Dahal.
New delivery channels such as ATM, internet banking, mobile banking increases the risk of
financial loss and electronic frauds. In order to manage IT related risks the Nepal Rastra Bank
has set Information Technology Guidelines which all banks operating in Nepal are obliged to
follow. According to it, all banks in Nepal should have a board approved IT related strategy and
policy and it should be reviewed at least annually. Band banks should designate a senior official
of the bank as Information Security Officer (ISO) who will be responsible for enforcing
information security policy of the bank. The government of Nepal, has also recommended to
deploy a strong cryptography and end-to-end encryption to protect customer PINs, passwords
and other sensitive data in the bank network.
 “ To be very honest, only the banks in Nepal, make IT audits as the Government of Nepal, has
issued IT guidelines which obliges them to protect their information systems, but the fact is
other organizations like health institutions also have sensitive data of customers stored in them
but they hesitate to make similar audits in order to save money.” Nirmal Dahal, the Chief
Technology Officer of Cryptogen Nepal concludes.
Link: https://nepalnews.com/s/issues/have-data-breaches-become-common-in-nepal

Enterprise data breach: causes, challenges, prevention, and future directions

Long Cheng, Fang Liu, Danfeng (Daphne) Yao

Over the past few years, massive enterprise data breaches have become a regular occurrence.
Table 1 lists some notable data breaches in recent years, which shows that the consequences of
an individual data breach could cause hundreds of millions of people having their personal
information leaked, and incur financial loss of hundred million dollars. In the following, we
describe several recent data breaches caused by external cyber-attacks and insiders,
respectively. In particular, we examine the Target data breach in detail, which is a
representative data leak incident as the result of outside attackers.

Table 1. Massive Enterprise Data Leak Incidents in Recent Years (Data Source Is from the
Dataset of World's Biggest Data Breaches)

Link: https://wires.onlinelibrary.wiley.com/doi/full/10.1002/widm.1211