The Indian Computer Emergency Team (CERT-in), the nodal cybersecurity agency that deals with incidents like breaches and vulnerabilities in cyberspace, has not directly put out any update on its assessment of the apparent breach of personal information of people who received vaccinations, registered on the Union government’s CoWIN platform.
CERT-in has not put out any alert to citizens that their Aadhaar or passport numbers, along with other personal details, may be hacked.
Also Read | CoWIN data leak from a non-governmental database operated by threat actor, says Union Minister
Additionally, a senior police official told The Hindu on Tuesday that no First Information Report has been filed following the breach. CERT-in was not immediately available for comments on Tuesday evening. While privacy, including informational privacy, was upheld as a fundamental right in the Constitution by the Supreme Court in 2017, the government has not passed a data protection Bill yet.
The only information from CERT-in so far comes from Minister of State for Electronics & Information Technology Rajeev Chandrasekhar, who said that the cybersecurity agency had found that “data being accessed by [the Telegram messaging app] bot from a threat actor database… seems to have been populated with previously stolen data.” It is unclear when this data was stolen and from where.
A report by private cybersecurity firm CloudSEK said the data appears to be not from CoWIN directly, but from a health worker who had inadequately protected vaccination beneficiary data. Commentators also pointed out that the data appeared slightly richer than what CoWIN possessed: namely, precise dates of birth were available for vaccine beneficiaries, even though the CoWIN portal only collected the year of birth.
‘Need transparent probe’
Prasanth Sugathan, Legal Director at the New Delhi-based Software Freedom Law Center, said that CERT-in’s investigation “should be a transparent process” that “should inspire confidence in citizens in their public infrastructure”. Mr. Sugathan added, “What are the steps you need to take to ensure that nothing happens as far as financial information is concerned? We expect even in the absence of a data protection law, the government should provide guidance on such issues.”
CERT-in may soon be exempt from responding to the Right to Information as well, as a proposal for its inclusion in the Second Schedule of the RTI Act is pending. The Department of Personnel and Training declined, in response to an RTI request, to provide The Hindu a copy of the proposal to exempt the body, and copies of inputs received from government agencies in response to the proposal.
“They cannot hide behind the exemption, and need to be proactive,” Mr. Suganthan reiterated. “The duty is there on them to inform citizens on what to do next in such a situation.”