On October 22, domestic pharmaceutical major Dr Reddy's Laboratories informed the stock exchanges that the company had been the target of a cyber attack the previous night. Dr Reddy's said that it has isolated its data center services across the globe to take required preventive steps. The cyber attack became a cause of concern for not just the company but the Covid-19 troubled world as Dr Reddy's had recently inked a pact with Russian Direct Investment Fund to conduct trials of Sputnik V and distribute vaccines in India.
And, there have been reports of cyber attacks or data thefts from laboratories working on Covid-19 from other parts of the world too. The company has not disclosed the nature of the attack or the extent of data breach. In fact Mukesh Rathi, CIO, Dr Reddy's said the company is anticipating all services to be up within 24 hours and they do not foresee any major impact on our operations due to this incident.
Investigations may reveal the details of damage the cyber attack has caused to Dr Reddys, but how to investigate a crime perpetrated from some location (within the country or outside) in the digital space?
Cyber forensic consultant and Honorary Chief Technology Advisor of DGP, Kerala Police Vinod Bhattathiripad says companies and countries have broadly four options before them to collect evidence from abroad and look out for sensitive information that may prove to be vital pieces of evidence of cyber crime.
But evidence collection comes at a later stage of the investigation process. The first step is to build a case.
"Until we know what kind of data breach happened (at Dr Reddys), it will be difficult to be precise, but data theft is basically a theft so the first move will be to register a case under various sections of Indian Penal Code (IPC). Since it is a digital theft, sections under the Indian Information Technology Act will also be applicable. A criminal lawyer who is in the know will decide the sections which pertains to this specific theft. The third aspect of investigation is that in this case, evidence gathering will not be limited to Indian jurisdiction. Wherever it is, it will have to be brought in and presented according to the provisions in the Section 65B (which spells out the admissibility of electronic records) of the Indian Evidence Act," says Bhattathiripad.
"The Indian servers of the company will give you indication of the breach. Hence a forensic analysis of Indian servers should be done first. Once you have the information about the IP addresses and the servers, you will have to approach the countries where those servers are located to collect the evidence from servers abroad," he adds.
But here is the issue. The police will not have direct access to that information. While the Code of Criminal Procedure - the Criminal Procedure Code (CrPC) will have to be used to collect digital evidence from within India, for seeking information from servers in foreign locations, two criminal data exchange treaties - Mutual Legal Assistance Treaty (MLAT) and UNTOC - will come handy. By invoking the respective sections of one of these treaties investigating agencies can access the required information. "The third option, is to obtain a court order from India for obtaining the particular evidential information from the specific server in a particular country. This court order will help the server administrator abroad to get an identical court order from the country where the server is located and then share the evidential information with Indian police," says Bhattathiripad.
The problem is not in the collection of evidence, though. It arises when there is no treaty between countries for the exchange of such criminals and evidential information. That is when, the fourth option, the Interpol comes. However it is not required for most cases, adds Bhattathiripad.
Irrespective of the seriousness of the data breach, it's going to be a lengthy investigation ahead for Dr Reddy's.
The cyber crime sends a message to the law makers too. It points to the relevance of the absence of a General Data Protection Regulation in India. Had there been such regulations, similar to that existing in Europe, Dr. Reddy's would have been stricter and more cautious on its cyber security and thus, their data would have been safer.