Get all your news in one place.
100’s of premium titles.
One app.
Start reading
The Hindu
The Hindu
National
The Hindu Bureau

CoWIN data leak | No CERT-in update yet; experts demand transparency

The Indian Computer Emergency Team (CERT-in), the nodal cybersecurity agency that deals with incidents like breaches and vulnerabilities in cyberspace, has not directly put out any update on its assessment of the apparent breach of personal information of people who received vaccinations, registered on the Union government’s CoWIN platform.

CERT-in has not put out any alert to citizens that their Aadhaar or passport numbers, along with other personal details, may be hacked.

Also Read | CoWIN data leak from a non-governmental database operated by threat actor, says Union Minister

Additionally, a senior police official told The Hindu on Tuesday that no First Information Report has been filed following the breach. CERT-in was not immediately available for comments on Tuesday evening. While privacy, including informational privacy, was upheld as a fundamental right in the Constitution by the Supreme Court in 2017, the government has not passed a data protection Bill yet.

The only information from CERT-in so far comes from Minister of State for Electronics & Information Technology Rajeev Chandrasekhar, who said that the cybersecurity agency had found that “data being accessed by [the Telegram messaging app] bot from a threat actor database… seems to have been populated with previously stolen data.” It is unclear when this data was stolen and from where.

A report by private cybersecurity firm CloudSEK said the data appears to be not from CoWIN directly, but from a health worker who had inadequately protected vaccination beneficiary data. Commentators also pointed out that the data appeared slightly richer than what CoWIN possessed: namely, precise dates of birth were available for vaccine beneficiaries, even though the CoWIN portal only collected the year of birth. 

‘Need transparent probe’

Prasanth Sugathan, Legal Director at the New Delhi-based Software Freedom Law Center, said that CERT-in’s investigation “should be a transparent process” that “should inspire confidence in citizens in their public infrastructure”. Mr. Sugathan added, “What are the steps you need to take to ensure that nothing happens as far as financial information is concerned? We expect even in the absence of a data protection law, the government should provide guidance on such issues.”

CERT-in may soon be exempt from responding to the Right to Information as well, as a proposal for its inclusion in the Second Schedule of the RTI Act is pending. The Department of Personnel and Training declined, in response to an RTI request, to provide The Hindu a copy of the proposal to exempt the body, and copies of inputs received from government agencies in response to the proposal.

“They cannot hide behind the exemption, and need to be proactive,” Mr. Suganthan reiterated. “The duty is there on them to inform citizens on what to do next in such a situation.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.