Data breach: Microsoft shared Indian bank customers financial details with US intelligence agencies
Reserve Bank of India has flagged the data sharing by the service provider in its Risk Assessment Report (RAR), which has been placed before the banks audit committees for a response.
This article, first published on October 30, 2018 has been updated with the response from Microsoft on November 5, 2018.
Microsoft routinely shared Indian bank customers’ financial details with the US intelligence agencies, a bank document related to Reserve Bank of India (RBI)’s risk observation, seen by DNA Money, reveals. The data of customers running an account with banks that have migrated to Microsoft Office 365 cloud-based email service has been found to have been shared with the US agencies.
Reserve Bank of India has flagged the data sharing by the service provider in its Risk Assessment Report (RAR), which has been placed before the banks’ audit committees for a response.
Customers may not be aware that their financial details are being shared with the US security and intelligence agencies. But Indian banks are fully aware of the development.
According to the response of RBI’s observation, banks know that Microsoft might be sharing their customers’ data to US agencies since they had purchased and migrated to Microsoft’s cloud-based email service - Office 365.
In a specific case, RBI observed in its risk report, “All the mailboxes had been migrated to office 365 Microsoft cloud environment.
It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers’ data under US Foreign Intelligence Surveillance Act (FISA) and US national security letters as and when required by the US authorities.”
According to the RBI observation,submited to an audit committee of a bank, from 2014 to 2016, Microsoft had disclosed information on 3,036 occasions after more than 4,000 government requests or legal demand requests for Indian customers in the US.
Banks have entered into a deal with Microsoft regarding the data sharing of their customers. In response to the RBI risk assessment observation, seen by DNA Money, a bank acknowledged that they have agreed with Microsoft, and according to the deal, Microsoft will only share the bank customers’ data if the order was issued by the government of India or an Indian court.
In the case of the US, the bank responded, “The US government issues gag orders for the same with prior intimation to us. We have incorporated appropriate provision to that effect in the legal agreement.”
More than 100 million people use Office 365 commercial, according to a latest Microsoft report.
DNA Money asked banks about how many US authorities’ requests have been responded and have been disclosed the Indian customers’ details by your email provider— Microsoft - in the last five years (2014-2018). Several attempts to contact RBI and banks, through email and SMS on the issue did not elicit any response, except from State Bank of India (SBI) and Bank of Baroda.
An SBI spokesperson said, “In 2016 and 2017, Microsoft has advised that they received zero demands from the US law enforcement for commercial enterprise content (50+ seats) located outside the United States. In the first half of 2018, the latest time period for which Microsoft has data available, there was one demand from the US government for content data of a commercial enterprise located outside of the United States and Microsoft notified the customer, which is not SBI.”
On customer data sharing issue, Bank of Baroda said, “Protecting the interests of our esteemed customers is of paramount importance to us. The bank’s ‘systems and operations’ are robust - we stand committed to protecting our customers’ interests, and we have all the necessary systems in place to ensure the same.”
However, a cyber law expert said India needs stringent laws against such practices. Achen Jakher, advocate, Cyber Law, told DNA Money, “Preserving consumer information is extremely important in today’s digital world, especially critical financial information. Intermediary technological firms have to adhere to Supreme Court guidelines to not share data with third parties and not take the data out of the country under any circumstance. Unfortunately, IT companies find multiple loopholes citing technological implementation and flout this rule. It is the need of the hour to come up with stringent laws against such practices. We have to work towards protecting sensitive data of consumers and not share this data for paltry gains.”
Microsoft did not respond to the specific questions, but firmly defended its position on privacy.
Watch this Zee Business video
HERE
We would also like to set the record straight and call out the following points in particular:
1. We categorically deny allegations of the report that Microsoft provides the US government – or any government – with unfettered access to data or provides any customer data in contravention of our public statements and clearly articulated principles and contractual obligations.
Microsoft does not provide any government entity anywhere in the world unfettered access to customer data through any means including backdoors in products, special access etc. Microsoft never provides customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers. If data is provided, it is done only after a thorough legal review to check whether the request is appropriate and consistent with the rule of law and Microsoft’s principles.
For commercial customers, absent extraordinary circumstances, Microsoft redirects governments to seek data directly from them and informs the commercial entity when any government seeks its data.
2. The story also mentions a number of alleged disclosures by Microsoft of data of Indian customers in the United States to the US Government, based on RBI’s risk report. These numbers do not match any data available to Microsoft and remain unverified. Microsoft does not record data on the nationality of our customers.
Please also note that Microsoft data centers in India began their operations towards the end of 2015 post which various Indian banks started to consume our cloud services.
Please refer to our Data Law site, where we detail everything we have done to protect our customers’ data as well as our principles explaining why we go to such lengths to fight for them.
Microsoft India
Get Latest Business News, Stock Market Updates and Videos; Check your tax outgo through Income Tax Calculator and save money through our Personal Finance coverage. Check Business Breaking News Live on Zee Business Twitter and Facebook. Subscribe on YouTube.