CoWIN data leak | No CERT-in update yet; experts demand transparency

The CERT-in has not issued any statement or security alert directly on the massive leak of personal information tied to the CoWIN database

Updated - June 14, 2023 09:50 am IST - NEW DELHI

Senior citizens wait to register themselves for the first dose of COVID-19 vaccine in Bengaluru. File

Senior citizens wait to register themselves for the first dose of COVID-19 vaccine in Bengaluru. File | Photo Credit: K. Murali Kumar

The Indian Computer Emergency Team (CERT-in), the nodal cybersecurity agency that deals with incidents like breaches and vulnerabilities in cyberspace, has not directly put out any update on its assessment of the apparent breach of personal information of people who received vaccinations, registered on the Union government’s CoWIN platform.

CERT-in has not put out any alert to citizens that their Aadhaar or passport numbers, along with other personal details, may be hacked.

Also Read | CoWIN data leak from a non-governmental database operated by threat actor, says Union Minister

Additionally, a senior police official told The Hindu on Tuesday that no First Information Report has been filed following the breach. CERT-in was not immediately available for comments on Tuesday evening. While privacy, including informational privacy, was upheld as a fundamental right in the Constitution by the Supreme Court in 2017, the government has not passed a data protection Bill yet.

The only information from CERT-in so far comes from Minister of State for Electronics & Information Technology Rajeev Chandrasekhar, who said that the cybersecurity agency had found that “data being accessed by [the Telegram messaging app] bot from a threat actor database… seems to have been populated with previously stolen data.” It is unclear when this data was stolen and from where.

A report by private cybersecurity firm CloudSEK said the data appears to be not from CoWIN directly, but from a health worker who had inadequately protected vaccination beneficiary data. Commentators also pointed out that the data appeared slightly richer than what CoWIN possessed: namely, precise dates of birth were available for vaccine beneficiaries, even though the CoWIN portal only collected the year of birth. 

‘Need transparent probe’

Prasanth Sugathan, Legal Director at the New Delhi-based Software Freedom Law Center, said that CERT-in’s investigation “should be a transparent process” that “should inspire confidence in citizens in their public infrastructure”. Mr. Sugathan added, “What are the steps you need to take to ensure that nothing happens as far as financial information is concerned? We expect even in the absence of a data protection law, the government should provide guidance on such issues.”

CERT-in may soon be exempt from responding to the Right to Information as well, as a proposal for its inclusion in the Second Schedule of the RTI Act is pending. The Department of Personnel and Training declined, in response to an RTI request, to provide The Hindu a copy of the proposal to exempt the body, and copies of inputs received from government agencies in response to the proposal.

“They cannot hide behind the exemption, and need to be proactive,” Mr. Suganthan reiterated. “The duty is there on them to inform citizens on what to do next in such a situation.”

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.