Cloud
India
Software

Total data loss for Indian property developers.
Courts to determine responsibility.
Centralised assets create points of failure.

The experiences of building developers Adarsh Developers at the hands of cloud provider AWS is a cautionary tale for those organisations entrusting their most valuable assets to the cloud.

In May 2023, the company was persuaded to opt for a system upgrade by AWS to increase the security of its cloud-hosted assets. Adarsh Developers hosted its ERP platform, SAP S/4HANA, on AWS. Given that AWS and SAP held data vital to the company (including detailed financial records), the proposed update seemed like a sensible idea.

Fast forward to January 9th this year, and the company discovered that as of 10:48am, the entire SAP S/4HANA platform had been wiped from AWS disks, thus bringing the business to a complete halt. With no customer data, supplier details, financial information – everything, in fact – it was as if Adarsh Developers no longer existed on AWS. According to The Hindu, the company has since estimated its losses at ₹5 crores (around US$576,500) per day since Jan 9.

The Indian police have raised an FIR (first information report) against AWS under the IT Act, citing fraud and impersonation. Adarsh Developers states its financial losses due to the data outage are in excess of ₹100 crores (US$11.5 million), quoting this figure in the filing.

The company’s SAP integration and consultancy partner, SAVIC, has investigated the massive data loss, and placed the blame at the doors of AWS, and/or its reseller, the Redington Group. The company claims in the FIR that the deletion of Adarsh Developers’ data was invoked “at root level” (meaning by an account with superuser privileges) by Redington personnel.

AWS India, via a spokesperson to The Hindu, stated: “The claims against AWS are false. AWS operated as designed and is not responsible for the deletion […].” All the parties involved (SAVIC, Redington, AWS, and Adarsh Developers) have to submit technical data to back their stories.

The case and the issues surrounding massive data loss from cloud providers throw into relief several issues that are continuing concerns of data professional, operations managers, cybersecurity personnel, and systems providers.

Any complexity in an IT supply chain increases the chances of data loss, and delays the identification of the root causes of critical issues (and therefore, their remediation),
Service centralisation in terms of computing platforms (using an ERP as opposed to multiple point-products) comes with inherent risk,
Provisioning a single cloud provider can create another point of failure.

If there is one lesson to be learned from the experience of Adarsh Developers, it is that cloud providers are not responsible for maintaining the integrity nor even continuing existence of data stored with them, and, therefore, are not responsible any client’s business continuity. Although companies like AWS, Microsoft, and Google are household names, there is no guarantee that a business’s assets kept by them are inviolable. Even such ‘givens’ as Office 365 email continuing reliably have to be questioned, and companies should take steps to ensure their own data is quickly recoverable, regardless of hosting and platform(s).

Whatever the eventual outcome of the Indian court proceedings, the victim in this case can’t hope to achieve enough compensation for its loss of business, reputation, and time. Cloud services are merely ‘someone else’s computer’. The realisation of the implications of centralisation, and in some cases, the high cost of cloud services is leading many organisations to adopt multi-cloud strategies, or take at least some of their critical systems back on-premise.

Human error is the most likely cause of the disaster that has befallen Adarsh Developers, and the culprit being established is moot, apart from giving Adarsh a possible source of compensation. Mistakes, misconfiguration, or security lapses will happen, and investment in appropriate recovery processes is (or should be) as central to modern businesses as email and internet access.

The most-publicised data losses stem from the activities of bad actors, either externally or in the guise of insider threats such as disgruntled employees. Simple human error gets little coverage.

About the Author

Dashveenjit Kaur

Dashveen writes for Tech Wire Asia and TechHQ, providing research-based commentary on the exciting world of technology in business. Previously, she reported on the ground of Malaysia’s fast-paced political arena and stock market.