Indian Airtel: Bug meant users' personal data was not secure

By Shadab Nazmi
BBC News

  • Published
In this photo illustration an Airtel logo seen displayed on a smartphoneImage source, Getty Images

A bug was found in India's third-largest mobile network which could have exposed the personal data of more than 300 million users.

The flaw, discovered in the Application Program Interface (API) of Airtel's mobile app, could have been used by hackers to access subscribers' information using just their numbers.

That information included things like names, emails, birthdays and addresses.

The flaw was fixed after the BBC highlighted the issue to Airtel.

"There was a technical issue in one of our testing APIs, which was addressed as soon as it was brought to our notice," an Airtel spokesperson told the BBC.

"Airtel's digital platforms are highly secure. Customer privacy is of paramount importance to us and we deploy the best of solutions to ensure the security of our digital platforms," the spokesperson added.

The flaw was found by independent security researcher Ehraz Ahmed. "It took me 15 minutes to find this flaw," he told the BBC.

Along with the information above, customers' International Mobile Equipment Identity (IMEI) numbers were also accessible. The IMEI number is a unique numerical identifier for every mobile device.

How serious could this have been?

According to the Telecom Regulatory Authority of India (TRAI) report, Airtel had close to 325 million active subscribers by the end of September 2019. It has the third-largest subscriber base after Vodafone-Idea (372 million) and Reliance Jio (355 million).

In October this year, a local search service named Justdial was found to have a flaw in its API that could have potentially affected 156 million users in India.

Image source, Getty Images

Justdial acknowledged the flaw and accepted the bug which could be potentially accessed by an expert hacker.

What does the law say?

India doesn't have any specific legislation that deals with data protection.

However, in line with the European Union's General Data Protection Regulation (GDPR), the government introduced a draft personal data protection law called the Personal Data Protection Bill in 2018.

This proposed rules on the collection, processing and storage of personal data, along with penalties, compensation and a code of conduct.

On 4 December, the federal cabinet headed by Prime Minister Narendra Modi approved the Personal Data Protection Bill.

"Will not be able to share more details about the bill as it will be introduced in the Parliament soon," federal minister Prakash Javadekar told a press briefing after a cabinet meeting on Wednesday.