Nirmal John - Breach: Remarkable Stories of Espionage and Data Theft and the Fight to Keep Secrets Safe

Im Bruce Wayne. Im also Peter Parker. At times, I am Rajinikanth.

One of the greatest things about my job as a business journalist is that no two days are the same. I get to talk to extremely interesting people on subjects as varied as the economics of asteroid mining, delivering education to a screen-obsessed generation, or the impact of artificial intelligence on the travel industry.

There is always the option to have these meetings in a local cafe. But I prefer going to their offices because I believe it reveals more about the person Im meeting and provides what my editor calls colour. It was during one of these trips to an office a few years back that I started my experiments with multiple personalities.

The first person to welcome me in nearly all the offices I visit is the security guard, usually clad in an ill-fitting uniform in a not-so-fetching shade of blue and a cap perched uncomfortably on his head. He usually sits on a plastic chair behind a small desk, with both the chair and the desk out of sync with rest of the office decor. As I walk in, he asks if I have an appointment, and as soon as I answer that question, he thrusts a large register in front of me.

Sir, entry kar lo. [Please enter your name.]

I nod and proceed to write my name. Then, without even as much as a glance at what I have written in the register, he motions me inside the office.

One day, in 2012, this flow changed. I had a meeting with the managing director of a multinational firm in Gurgaon for a story that I was working on. As usual, I was about to enter my name in the register when a thought occurred to me. Did it matter what I wrote in the register? Would they know if I put in a fake name? Were the guards really keeping a track of visitors by the information they provided about themselves?

It was around the time when the third movie in Christopher Nolans Batman trilogy, The Dark Knight Rises, had come out. Instead of writing my name, I wrote Bruce Wayne, Gotham City. I was a tad apprehensive of getting caught and being embarrassed, but I neednt have bothered.

I was ushered right in.

It was too easy. Since then I have passed myself off as Peter Parker, David Beckham and Rajinikanth in offices in Bengaluru, Mumbai, New Delhi, Noida, Gurgaon, Faridabad, Ghaziabad, Ahmadabad, Pune, Kochi, Hyderabad, Mysore, Jaipur, Chennai and many other cities. I have written these names at the offices of Indias biggest start-ups to its biggest financial institutions and largest conglomerates and everything in between. I have even done it in companies that provide security services, both digital and physical.

There are rare offices which ask for your identification and those, of course, stay out of bounds for my little superhero transformations. But most offices dont ask for anything more than a cursory entry into the register.

This little experiment got me thinking. If it was as easy as that for an amateur like me to saunter into the offices of some of the biggest companies in the country, without even having to disclose my real name, what about those with nefarious intent? How often did those with malicious ideas do what I did? More importantly, did those who were adept at the art of deception even break into a sweat if and when they wanted to steal information? Why werent Indian companies investing in better security? Why wasnt I getting caught?

Theres more. We have stepped well and truly into a digital world. Although data has always been valuable in the context of most businesses, it has now acquired an altogether elevated stature. The Economist called data the new oil. Much of the obnoxiously high valuations for technology companies in the e-commerce era currently underway in India and around the world are not based on how much they sell, but on how much they know. Google, Facebook, Amazon, Alibaba, Tesla and Flipkart have become valuable because of this access to data.

In India, if it is so easy to find holes in the wall of physical security that Indian businesses build around them, how robust is their digital security? More importantly, how robust are the security practices pertaining to how the government handles this new era of data? After all, data is the currency of this century and any compromise on data integrity is an existential risk, not just for businesses but also for countries.

There are instances aplenty of hacking and stolen data from the most advanced of economies. Big names in business, including Sony,

In the following pages, you will read a few instances of data theft in India and how those fighting the threat reacted. As India grows and as more and more people move online, it becomes an even juicer target for criminals. Any number of reasons, from corporate espionage to cyberwarfare to financial gain to geopolitical manoeuvring to stalking, might motivate this criminal behaviour. There are many black hat hackers who do what they do simply because they can. What is certain is that the wealth of data that is being collected by companies and the government will constantly be under threat from those who want a peek.