Data Loss in Cloud Storage – science & technology

Data Loss in Cloud Storage – science & technology

NEWS: A recent legal dispute has brought the issue of data loss in cloud storage to the forefront. Adarsh Developers, a Bengaluru-based real estate firm, filed a complaint against Amazon Web Services (AWS). 

 

WHAT’S IN THE NEWS?

Background of the Case

  • On February 11, 2025, Adarsh Developers, a Bengaluru-based real estate company, officially filed a criminal complaint against Amazon Web Services (AWS), alleging that their entire financial and customer data repository had been permanently lost.
  • The company claimed that the data loss resulted in an estimated financial setback exceeding ₹150 crore, significantly disrupting their business operations.
  • This incident has raised several concerns related to data security in enterprise-grade cloud storage, the necessity of maintaining multiple backup versions of critical data, and the legal aspects surrounding cloud-based service failures.

 

The Incident: How the Data Loss Occurred

  • Usage of AWS Cloud Services:
    • Adarsh Developers had been using SAP Enterprise Resource Planning (ERP) software, specifically the SAP S/4HANA system, hosted on AWS for managing its financial transactions, customer records, supply chain operations, and business analytics.
  • AWS Representative’s Recommendation for an Upgrade:
    • In May 2023, an AWS business development representative named Saidalawi Safan recommended that Adarsh Developers upgrade their cloud storage and security infrastructure.
    • The stated reason for the upgrade was to enhance data protection and mitigate risks associated with cyber threats such as hacking, cyberterrorism, or sabotage.
    • Adarsh Developers complied with the suggestion and proceeded with the recommended service enhancements.
  • Sudden and Complete Data Loss:
    • On January 9, 2025, at precisely 10:48 AM, Adarsh Developers discovered that their entire SAP S/4HANA data environment hosted on AWS had been permanently deleted.
    • The company immediately launched an internal inquiry in an attempt to trace the reason behind this unexpected data deletion.
    • Upon reaching out to SAVIC Technologies Pvt. Ltd., their technology partner, Adarsh Developers was informed that the deletion was allegedly caused by actions taken by certain individuals from Redington (a vendor) and AWS personnel.
  • Unclear Circumstances Surrounding the Deletion:
    • The specific details regarding the exact actions performed, the intent behind them, and the technical aspects of the alleged deletion remain unknown.
    • A thorough forensic investigation is required to determine whether this was an accidental misconfiguration, unauthorized access, a cyberattack, or a deliberate act of data destruction.

 

Impact on Adarsh Developers

  • Immediate Business Disruptions:
    • The loss of data led to a complete breakdown of all essential business functions, including:
      • Inability to process customer payments, leading to cash flow issues.
      • Inability to file statutory tax returns, potentially inviting legal and regulatory penalties.
      • Disruptions in financial management, preventing the company from calculating and paying interest to lenders and stakeholders.
      • Loss of supply chain records, making it difficult to track ongoing projects, vendor payments, and procurement.
  • Financial Losses:
    • As of January 31, 2025, Adarsh Developers estimated the total loss at approximately ₹150 crore.
    • Additionally, the company calculated that the daily financial loss due to halted operations amounted to ₹5 crore starting from January 9, 2025.

 

Legal Action and Charges Filed

  • FIR Registration and Applicable Laws:
    • Adarsh Developers filed a First Information Report (FIR) on February 11, 2025, leading to a formal cybercrime investigation.
    • The case has been registered under the following provisions of Indian law:
      • Information Technology (IT) Act (specific sections yet to be disclosed).
      • Section 318(4) of the Bharatiya Nyaya Sanhita (BNS) – This section pertains to cheating and fraud, which Adarsh Developers alleges AWS and other involved parties have committed.
      • Section 319(2) of the BNS – This section deals with impersonation, suggesting that unauthorized access or identity misuse may have played a role in the data loss.
  • Ongoing Cybercrime Investigation:
    • The cybercrime police are currently investigating the allegations, seeking to determine whether the deletion was:
      • A result of intentional actions by Redington or AWS personnel.
      • A case of unauthorized access or cyberattack.
      • A misconfiguration or accidental deletion due to human error.

Possible Causes of Data Loss

  • Not Necessarily Malicious Intent:
    • While major data loss incidents are often attributed to hacking attempts or insider threats, they can also result from various technical and operational issues, including:
  • Cloud Misconfiguration:
    • Improper cloud storage settings, security policies, or system architecture could lead to accidental data deletion.
    • Weak database security, poorly managed access controls, or unprotected cloud environments can also make data vulnerable to loss.
  • Human Error:
    • Mistakes by IT administrators, miscommunication between vendors, or improper execution of system commands could have resulted in unintended deletion of critical data.
  • Vendor or Third-Party Involvement:
    • In the FIR, Adarsh Developers specifically mentioned that employees of Redington had allegedly accessed the company’s AWS storage environment at the root level and deleted their account entirely.
    • However, without concrete forensic evidence, it is not possible to pinpoint the exact cause of the data loss.
  • Requirement for a Comprehensive Investigation:
    • A full-fledged technical analysis involving AWS, Redington, SAVIC, and Adarsh Developers is necessary to verify the claims made by each party and establish accountability.

 

Amazon Web Services’ (AWS) Response

  • AWS categorically denied any responsibility for the data loss, stating:
    • "The claims against AWS are false."
    • "AWS operated as designed and is not responsible for the deletion of Adarsh Developers’ data."
  • AWS also informed Adarsh Developers that retrieving or restoring the lost data was not possible, which compelled the real estate firm to pursue legal action.

 

Similar Cases of Cloud Data Loss in the Past

Several instances of data loss involving cloud service providers have been reported globally, including:

  • Microsoft Azure Outage (January 29, 2019):
    • Affected Azure SQL databases, leading to partial data loss for some users.
    • Microsoft compensated customers by waiving cloud usage charges for 2-3 months, depending on the severity of the impact.
  • Code Spaces AWS Breach:
    • Code Spaces, a cloud-based code hosting service, suffered a Distributed Denial of Service (DDoS) attack.
    • Hackers gained access to its AWS account, deleted all primary and backup data, and caused irreparable damage.
    • The company was forced to shut down operations permanently due to the complete loss of its stored information.

 

Key Takeaways and Lessons Learned

  • Cloud Storage Risks: Organizations must ensure robust security measures, regular monitoring, and proper access control to prevent accidental or malicious deletions.
  • Multiple Data Backups are Essential:
    • Relying on a single cloud provider is risky; businesses should maintain redundant backups in offsite locations.
  • Legal and Contractual Clarity:
    • Service-level agreements (SLAs) must clearly define data recovery policies, responsibility in case of data loss, and vendor accountability.
  • Growing Need for Cybersecurity Compliance:
    • Companies must invest in cybersecurity training and audits to minimize vulnerabilities in cloud-based systems.

 

Ongoing Investigation and Future Implications

  • The cybercrime police are continuing their investigation, seeking further technical evidence.
  • The case could potentially set a legal precedent for cloud service liability and enterprise data protection laws in India.
  • A final verdict from the courts or investigative agencies will determine whether AWS, Redington, or other involved parties can be held accountable for the incident.

What are the Key Points about the Draft Digital Personal Data Protection Act (DPDP Act) Rules, 2025? 

  • About: It is a set of rules that operationalize the Digital Personal Data Protection Act (DPDP Act), 2023, to protect citizens' digital personal data while fostering India’s digital economy and innovation. 
  • Data Transfer: The rules allow the transfer of certain personal data outside India, as approved by the government. 
  • Citizens at the Core: Citizens are granted rights to demand data erasure, appoint digital nominees, and have user-friendly mechanisms to manage their data by Data Fiduciaries. 
    • Entities such as social media platforms, e-commerce companies and online gaming platforms, etc, that collect and process an individual's personal data are data fiduciaries. 
  • Data Erasure: Data retention is allowed for up to three years from the last interaction with the Data Principal (Users) or the effective date of the rules, whichever is later. 
    • The Data Fiduciary must notify the Data Principal at least 48 hours before erasure. 
  • Digital-First Approach: The rules also prescribe a "digital by design" Data Protection Board of India (DPBI) for consent mechanisms and grievance redressal, for faster resolution of complaints and grievances online.  
  • Graded Responsibilities: Graded responsibilities cater to startups and MSMEs with lower compliance burden, while Significant Data Fiduciaries have higher obligations.  
    • Digital platforms with a large number of users such as Facebook, Instagram, YouTube, Amazon, Flipkart, Netflix, etc, will qualify as significant data fiduciaries. 
  • Consent Managers: The digital platform may also collect consent through consent managers. 
    • A Consent Manager handles the collection, storage, and use of user consent, mainly for data privacy and digital interactions. 
    • Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of two crore rupees.   
  • DPBI: Draft rules have spelt out a framework for setting up the DPBI that will have civil court powers for personal data breach complaints.

 

What is Cloud Computing?

Cloud computing refers to the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing, allowing users to access computing services without the need for upfront investments in physical infrastructure.
Instead of purchasing, owning, and maintaining physical data centers and servers, individuals and businesses can access a wide range of technology services—including computing power, storage, networking, and databases—from a cloud service provider such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP).

 

Usage of Cloud Computing

Organizations across various industries, regardless of their size, type, or business model, are leveraging cloud computing for a broad range of use cases, including:

  • Data backup and disaster recovery: Ensures that critical business data is securely stored and can be recovered in case of system failures or cyber-attacks.
  • Email and communication services: Enables cloud-hosted email solutions and collaboration tools for businesses.
  • Virtual desktops: Provides employees with remote access to desktop environments from anywhere in the world.
  • Software development and testing: Offers developers a scalable and flexible environment to build, test, and deploy applications.
  • Big data analytics: Supports processing and analyzing large volumes of data to gain actionable business insights.
  • Customer-facing web applications: Hosts websites, e-commerce platforms, and mobile applications to serve global audiences efficiently.

 

Types of Cloud Computing

1. Infrastructure as a Service (IaaS)

IaaS provides virtualized computing resources, such as servers, storage, and networking, allowing businesses to build and manage their own IT infrastructure without investing in physical hardware.

  • Key Features:
    • Highly scalable and flexible infrastructure.
    • Users have full control over operating systems, applications, and networking settings.
    • Offers on-demand access to computing power, allowing businesses to scale resources up or down based on needs.
  • Use Case:
    • Suitable for businesses that require customizable IT environments for hosting applications, databases, or enterprise systems.
    • Commonly used by companies running large-scale web applications, data processing workloads, and storage solutions.

2. Platform as a Service (PaaS)

PaaS provides a development and deployment platform that enables users to build, run, and manage applications without worrying about the underlying hardware, software, or network configurations.

  • Key Features:
    • Includes pre-configured tools and frameworks for application development.
    • Supports automated infrastructure management, reducing operational burden.
    • Developers can focus entirely on writing and optimizing code while the cloud provider handles server management, security, and updates.
  • Use Case:
    • Ideal for software developers who want to create, test, and deploy applications efficiently without managing the infrastructure.
    • Commonly used for developing web applications, mobile apps, and enterprise software.

3. Software as a Service (SaaS)

SaaS delivers fully managed, cloud-hosted software applications that users can access over the internet, eliminating the need for software installation, maintenance, and manual updates.

  • Key Features:
    • Software is maintained, updated, and secured by the provider.
    • Accessible from any device with an internet connection and web browser.
    • Subscription-based pricing model, often billed monthly or annually.
  • Use Case:
    • Widely used for email services (e.g., Gmail, Outlook), customer relationship management (CRM) tools (e.g., Salesforce), productivity suites (e.g., Microsoft 365, Google Workspace), and enterprise resource planning (ERP) solutions.
    • Beneficial for businesses that want cost-effective, scalable software solutions without the need for in-house IT maintenance.

 

Source: https://www.thehindu.com/sci-tech/technology/what-does-the-aws-adash-developers-case-tell-about-cloud-data-management-explained/article69250253.ece