Last Updated:
In the past 8-10 years, several businesses have migrated to cloud. By 2018, almost 96% of organisations started using cloud computing in some way. (Representative Photo)
An FIR against Amazon Web Services (AWS) by Bengaluru-based Adarsh Developers over mishandling of data, leading to a financial loss of Rs 150 crore, has raised questions about cloud storage security and the importance of multiple backups to secure information.
Though it may seem that cloud computing and cybersecurity are not to each other, but there are. Cloud computing requires storing data off-site while cybersecurity means building virtual walls around it, that is, protecting your data at all costs.
How did Adarsh Developers data got wiped out from AWS cloud, what you should know about cloud computing and cybersecurity in India, let us find out.
Adarsh Developers has said the company had entrusted AWS with storing financial records and customer data, including details of investments in ongoing and upcoming projects.
The FIR was filed by the CCB’s Cyber Crime Police Station on February 11 following a complaint by Sridhar Rajendran from M/s Adarsh Developers. The complaint said the firm has been developing residential, commercial and hospitality projects across Bengaluru for 36 years.
Rajendran said they used “SAP ERP stored with Amazon Cloud Services” to store their financial data as well as the customers’ “personal data”.
In May 2023, Saidalawi Safan, a business development representative from AWS, allegedly contacted the firm and insisted on using their cloud storage servers to ensure data retrieval even in the event of cyberattacks or sabotage, according to the FIR.
“Believing such assurance, in December 2023, the company procured cloud storage facilities with AWS through SAP implementation partner M/s SAVIC Technologies Pvt Ltd, Mumbai. The work order was issued to them to shift the company’s data from the earlier cloud storage facility to the AWS and also to maintain the data securely for three years until November 2027. The payment was agreed for Rs 88,59,924, including GST,” Rajendran added.
On January 9, the implementation partner allegedly informed Adarsh Developers that “due to the actions of a few individuals at Redington and AWS teams, there has been a data loss”.
“(We were) further told that employees at Redington Group have entered into our storage area at the root level and deleted our account completely. This event has resulted in the loss of over six years of business data causing substantial financial and operational loss to the company.
“The deletion of SAP S/4HANA (a business suite used to manage data) has brought the business functions/operations to a complete halt and the vital financial records, supply chain data, customer information, and operational insights accumulated over years are now inaccessible,” as per the complaint.
Apart from AWS, the FIR, filed under the Bharatiya Nyaya Sanhita (BNS) and Information Technology Act, named Redington Group. An investigation has been initiated, senior officers said further.
Amazon has refused to accept Adarsh Developers’ allegations. “The claims against AWS are false. AWS operated as designed and is not responsible for the deletion of Adarsh Developers’ data,” said an AWS spokesperson in response to The Hindu.
One might think that data loss is a result of actions performed by malicious agents such as hackers or even disgruntled employees. But there could be a number of reasons behind data loss, especially when a company is trying to keep complex systems secure with the help of vendors, clients, technical partners and service providers.
What happened with Adarsh Developers could be perhaps due to cloud misconfiguration, which often stems from poorly implemented cloud storage settings, bad system architecture, low-quality security infrastructure, unsecured databases and unmanaged access, as per The Hindu.
Though the FIR mentions Reddington Group and AWS employees responsible for data loss, it is not possible to jump the gun without a comprehensive forensic investigation.
Over the past 8-10 years, several businesses have migrated to cloud, which has increased the possibilities of cyberattacks.
By the end of 2018, almost 96% of organisations started using cloud computing in some way, according to CIO.com. At the same time, cyberattacks were on the rise, with almost twice as many ransomware attacks in 2017 (160,000) as compared to the previous year (82,000), and these are only the reported attacks, nor do these numbers include data breaches or denial-of-service attacks.
Organisation: Cloud vendors know they must do their cyber-security part, but in the end, if a customer’s data is compromised, it is the firm that will have to be held accountable. Similarly, if an organisation falls victim to a ransomware attack, it is them that must pay the hacker. Two common causes of data breaches in the cloud are misconfigured access restrictions on storage resources and forgotten or improperly secured systems, both of which are the responsibility of the organisation, not the cloud vendor, as per NASSCOM.
Cloud Vendors: They have already invested enormous resources in their own products’ security. For example, major players such as Amazon (Amazon Web Services), Microsoft (Azure), and Google (Google Cloud Platform) ensure that security has been one of the highest priorities.
Cloud Computing: Sometimes cloud computing offers a security solution. Small to medium size businesses are particularly vulnerable to cyberattacks as they have limited resources to improve their cyber security. Moving to the cloud could improve their overall security because the cloud vendors have some of the toughest security in the IT. In fact, some argue that moving data to the cloud is more secure than keeping it on-site.
Cloud Security Bigger Than GDPR: In May of 2018, the General Data Protection Regulation (GDPR) became enforceable. Although it applies to residents of the European Union (EU) and European Economic Area (EEA), it has far-reaching effects for organisations all over the world. Post GDPR, those entities must make sure their data practices comply. Although the best way to ensure compliance is through legal counsel.
Internet of Things (IoT): IoT will undo a lot of progress made in securing cloud solutions, data centers and network infrastructures. With the explosion of IoT devices comes an explosion of security vulnerabilities because these devices often don’t have the level of security they should.
