CoWIN data breach | Representative image | The Probe
A few days ago, the Intelligence Fusion and Strategic Operations (IFSO) unit of the Special Cell of the Delhi Police filed an FIR in the CoWIN data breach case and arrested two brothers from Bihar. They allegedly used their mother's CoWIN ID to leak data. According to the police, the brothers gained unauthorised access to information on the CoWIN portal and created a bot to carry out a CoWIN data breach on Telegram. However, investigations revealed that the brothers only obtained data from a few individuals in Bihar. The large volume of leaked data on Telegram indicates the involvement of numerous non-state actors in breaching government data. Despite this, the government still seems to grapple with protecting citizens' data and safeguarding their privacy.
Pawan Duggal, Supreme Court advocate and cybersecurity expert speaks to The Probe's Rageshree Sengupta on the CoWIN data breach
Hackers often target health data due to its high value in the dark market. This type of data fetches a premium price because it provides a wealth of information. Beyond just revealing an individual's health parameters and medical conditions, it offers insights into potential areas where the person may require assistance. These areas can include health-related needs and financial vulnerabilities, making medical data a fertile target for criminals. The information contained in medical data goes beyond simple health records. It can include details about medications, treatment plans, diagnoses, and even sensitive personal information such as unique ids or insurance details.
Also Read | India Unequipped To Handle Rising Cybercrimes
In the second week of July, reports surfaced regarding a data breach of CoWIN on the messaging platform Telegram. It was claimed that a Telegram bot had accessed CoWIN data, leading to concerns about the security of citizens' information. In response to these reports, Rajeev Chandrasekhar, the Minister of State for Electronics and IT, stated that the Indian Computer Emergency Response Team (CERT-In) had investigated the alleged breach and determined that the CoWIN portal itself was not directly compromised. According to Chandrasekhar, the data being shared on Telegram, including citizens' Aadhaar and passport numbers, was sourced from previously breached databases and not obtained through a direct breach of the CoWIN system.
Also Read | Proposed Data Protection Bill Faces Scrutiny Over Government Control and Powers
To clarify the situation, the Health Ministry issued a press release which essentially dismissed the possibility of CoWIN's APIs (Application Programming Interfaces) being utilised by the Telegram bot to obtain the data. However, these statements from the government have left many questions unanswered and have raised further doubts regarding the incident.
What may have caused the Cowin data breach
Rahul Sasi, co-founder and CEO of cyber-security firm CloudSek, provides insights into the possible causes of the data breach. He explains, "Our initial analysis found that health workers' passwords were leaked on the dark web. These health workers uploaded the details of the citizens on the government website. The health workers' usernames and passwords were leaked on the dark web, which may have facilitated unauthorised access to the data". Sasi further suggests another possibility, stating, "The second assumption is that there was an unauthorised leak of the API which the attackers may have used. That is what was used to run the Telegram bot. We feel the attackers had access to one of the internal APIs".
In Duggal’s words: “The AIIMS ransomware attack that took place last year was a wake-up call because extensive data of Indians had been compromised, and now, in less than a few months, we have an attack on CoWIN. This sequence of events serves as a stark reminder of the vulnerability of critical systems and the urgent need to implement robust cybersecurity measures to protect sensitive information. The recent breach of CoWIN, targeting India’s health data and the well-being of its citizens, further underscores the severity of the situation. It is imperative that we view this as a national emergency, given CoWIN’s criticality as India’s central health information repository. The escalating frequency of ransomware attacks calls for immediate action to bolster cybersecurity defences.”
The government can’t be in a perpetual denial mode when its systems have been breached
Duggal further adds that each time there is a data breach, the government should acknowledge data breaches instead of denying them. “Many times in the past, we have seen how the government had denied such breaches. But now, since the screenshots and details of the data that has been breached are there on the online space, it is high time that this entire case is investigated from a criminal standpoint.” Duggal highlights the importance of treating these breaches as criminal offences.
Stressing the significance of government transparency in the face of data breaches, Shekhar says that the government should openly disclose the scale of the attack to the public. “Whenever there is a data breach, the government should be very open about it and inform the people about the attack’s magnitude and scale so that people can be prepared. This disclosure is very important; otherwise, how can the public at large be ready to face any eventuality?”
Also Read | India Unequipped To Handle Rising Cybercrimes
Dr Prashant Mali, a cyber expert and lawyer practising in the Bombay High Court, highlights the conflicting views within government agencies regarding the data breach. He states, “There are conflicting views from various government agencies. On the one hand, the health ministry has said that there is something which they want to investigate. On the other hand, the Ministry of Electronics and Information Technology (MeitY) has said that nothing has been leaked, and whatever leak has happened has happened from previous databases and segments from different contact points. There is negligence in following reasonable cybersecurity practices, which may have led to the massive data leak from different contact points”.
India still does not have laws in place to tackle cyber attacks
“Indian cyber law - the Information Technology Act 2000 is not a cybersecurity law. It was amended in 2008 to include the legal definition of cybersecurity and also to put in certain cosmetic provisions of cybersecurity, but by and large, it is not adequate to deal with the huge myriad of challenges that cybersecurity breaches are throwing up. We need a new cybersecurity legal framework,” asserts Duggal.
Duggal emphasises the limitations of CERT-In and states, “CERT-In is investigating the CoWIN data breach case, but the fact is that CERT-In does not have investigative powers that the law enforcement agencies have, and therefore, it intrinsically lacks the capacity to take action which is of penal nature”. He further asserts, “Apart from CERT-In, I am of the firm opinion that an FIR needs to be lodged and the matter needs to be criminally investigated by the police because these are various offences that have been committed under the Information Technology Act 2000 and also under the Indian Penal Code (IPC)”.
FIRs are hardly registered, and convictions are abysmally low
In today’s interconnected world, the threat of cyberattacks looms large, and governments are not immune to this growing menace. With India’s vast population and extensive datasets, the country finds itself at the forefront of a virtual battle. Hackers and attackers are constantly evolving their techniques, but unfortunately, India’s legal framework has not kept pace with these advancements. This has resulted in a pressing need for a more proactive approach from the government to combat cybercrimes.
Shekhar explains, “Let me be very honest. On a daily basis, government organisations’ data is being hacked. Unfortunately, in cybersecurity, the convictions are awfully low. There is so much inefficiency in the current system that even when numerous complaints are lodged, only a fraction of them progress to FIRs (First Information Reports). Furthermore, the abysmally low conviction rates in India fail to instil fear in the minds of cybercriminals, allowing them to operate with impunity”.
Also Read | The WhatsApp Privacy Policy Saga: India’s Data Protection Regime And You
What can you do if your data is breached?
Justice Puttaswamy’s judgement asserts that individuals have a fundamental right to privacy. The judgement, commonly referred to as the “Right to Privacy” judgement, was delivered by a nine-judge bench of the Supreme Court of India in August 2017. The court held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution. Under Section 43 of the Information Technology (IT) Act, 2000, entities that fail to protect sensitive personal data and information from unauthorised access or disclosure may be held liable for compensation.