Identity Theft is Not a Joke, Jim!

Ramesh (name changed), a resident of Punjab, received a phone call from one of the largest banks of India regarding a two-wheeler loan. He was shocked, because he availed no such loan, and he was told to visit the branch. Upon further inquiry, he came to know six loans have been availed in his name.

As per the Norton Cyber Safety Insights Report, more than 2 in 5 Indian consumers (approximately 45 per cent) have experienced identity theft.

Identity theft is a pervasive and insidious form of cybercrime that poses a significant threat to individuals and organizations alike. It involves the unauthorized acquisition and use of someone’s personal information for fraudulent purposes. Perpetrators of identity theft, often referred to as identity thieves, exploit various modes to obtain sensitive data, wreaking havoc on victims’ lives and causing substantial financial losses.

One common mode of identity theft is phishing. In phishing attacks, scammers use deceptive emails, messages, or websites to trick individuals into revealing their personal information, such as login credentials, credit card details, or social security numbers. These fraudulent communications often appear to be from legitimate sources, making it challenging for unsuspecting victims to discern the scam.

Another mode is data breaches. In this scenario, cybercriminals infiltrate databases or systems containing vast amounts of personal information. The stolen data can include names, addresses, dates of birth, and even financial information. These breaches can be caused by security vulnerabilities or weak practices employed by organizations, putting millions of people at risk of identity theft.

Additionally, identity thieves may employ social engineering tactics. Through phone calls or in-person interactions, they manipulate individuals into divulging sensitive information. By exploiting trust or impersonating someone in authority, these criminals can obtain critical data that enables them to conduct fraudulent activities under the victim’s name.

Mail theft is another traditional method used by identity thieves. They steal personal information directly from people’s mailboxes, intercepting credit card statements, pre-approved credit offers, and other sensitive documents. Subsequently, they use the acquired information to open fraudulent accounts or make unauthorized purchases.

Furthermore, with the rise of technology, online identity theft has become increasingly prevalent. Cybercriminals use malware, keyloggers, and spyware to gain unauthorized access to victims’ computers or mobile devices, capturing login credentials and other private data.

What Can Organizations Do?

Organizations can take several proactive steps to enhance their preparedness against identity theft and safeguard sensitive data. Firstly, they should implement robust security measures such as multi-factor authentication and encryption to protect user accounts and sensitive information from unauthorized access. Regular security audits and vulnerability assessments can help identify and address potential weaknesses in the organization’s infrastructure.

Furthermore, employee training and awareness programs are crucial to educate staff about the risks of identity theft and the importance of data protection. Employees should be trained to recognize phishing attempts, social engineering tactics, and other common forms of cyberattacks.

In addition, organizations should have a well-defined incident response plan in place to swiftly and effectively handle any security breaches or data leaks. This plan should include clear protocols for reporting incidents, containing the breach, and notifying affected parties as required by law.

What to do as Individuals?

To protect against identity theft, individuals must remain vigilant. This includes using strong and unique passwords, refraining from sharing personal information over unsolicited communications, regularly monitoring financial statements, and implementing security software on devices.

If you believe you have been a victim of identity theft, you should inform the concerned authorities and also the police. Under Section 66C of the Information Technology Act, 2000 (IT Act), the crime of identity theft entails imprisonment up to 3 and also a fine of Rs. 1 lac. Section 66D of this Act prescribes a punishment of imprisonment for a maximum period of three years, a fine not exceeding one lakh rupees, or both, for using a computer resource to impersonate someone in order to cheat. An FIR can also be registered under various sections of the Indian Penal Code, 1860 (IPC). Section 419 of the IPC addresses the offense of “cheating by personation.” According to this section, whoever cheats by pretending to be another person, either in person, or by using any electronic communication device or computer resource, shall be punished with imprisonment for a term that may extend to three years, or with a fine, or both.

Section 420 of the IPC pertains to the act of defrauding someone and dishonestly inducing them to deliver property. This section prescribes a penalty that includes both a fine and imprisonment, with the maximum imprisonment term being seven years.

The IPC also contains provisions for dealing with situations involving document forgery, where a fabricated document is passed off as genuine. The penalties for such offenses are specified within the relevant sections of the IPC.

The Bharatiya Nyaya Sanhita (which is aimed at replacing the IPC) will also penalise identity theft) and Section 15 of the Digital Personal Data Protection Act, 2023 also places duties on the Data Principals, one of which is to not impersonate others while providing their data. A penalty of an amount upto Rs. 10 thousand can be imposed on Data Principals for breaching their duties. 

Major Privacy Updates of the Week

MeitY to host industry consultation on India's data protection law implementation

The Ministry of Electronics and Information Technology (MeitY) will be conducting a consultation meeting in New Delhi regarding India’s latest Data Protection Regulation, the Digital Personal Data Protection Act, 2023 (DPDPA).

The government plans to establish a graded timeline for DPDPA rule implementation, with indications that Big Tech companies may receive less time compared to startups, MSMEs, government departments, and state governments. The government has prepared a broad draft consisting of 21 rules under DPDPA for which the consultations would soon begin on these rules. Read More.


US lawmakers introduce Banning Surveillance Advertising Act

On September 18, 2023, Representatives from various states have jointly introduced the Banning Surveillance Advertising Act. This Bill is designed to prohibit advertising networks and facilitators from utilizing personal data for targeted advertisements. It forbids advertisers from targeting ads based on protected class information, such as race, gender, and religion, along with personal data obtained from data brokers. However, the bill does allow for targeting based on broader location parameters and permits contextual advertising.

This new Bill has garnered support from public interest organizations, academics, and privacy-focused businesses, aiming to address issues related to online manipulation, extremism, misinformation, and privacy concerns. Read More.


Saudi Arabia’s amended Personal Data Protection Law comes into effect.

Saudi Arabia’s updated Personal Data Protection Law (PDPL) became effective on September 14, 2023, after its enactment by royal decree on September 16, 2021. Following its enactment, five crucial amendments were introduced via another royal decree on March 27, 2023.

This law, the first of its kind in Saudi Arabia, focuses on safeguarding individual privacy by regulating data collection, processing, disclosure, and preservation. It defines personal data, sensitive data, genetic data, and health data, while emphasizing direct data collection, legitimate interests, and circumstances for data disclosure. Moreover, violations under the PDPL are subject to penalties determined by a designated committee under Article 36 of the law. Read More.

thread vs twitter

TikTok Fined $368m For Child Data Privacy Offenses

TikTok has been fined €345 million ($368 million) due to breaches of the GDPR involving child users, as confirmed by Ireland’s Data Protection Commission (DPC). Following an investigation spanning from July 31, 2020, to December 31, 2020, the DPC’s final decision highlighted violations of several GDPR articles.

Notably, TikTok had public profile settings by default for children, enabled non-child users to pair with child accounts, lacked transparency for young users, and used “dark patterns” to influence users to choose privacy-intrusive options. The social media giant has not only been fined but is mandated to bring its processing into compliance within three months. Read More.

G Suite

California attorney general reaches $93M settlement with Google

California’s Attorney General, Rob Bonta, has revealed a $93 million agreement with Google in response to allegations of violating California consumer protection laws concerning location-privacy practices. This settlement follows an extensive investigation by the California Department of Justice, uncovering Google’s collection, storage, and utilization of users’ location data for consumer profiling and advertising without proper consent. Alongside the financial settlement, Google has committed to stricter injunctive terms aimed at preventing future misconduct. However, the settlement is pending court approval. Read More.

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro