Understanding the developments in CoWIN portal Data leak Saga: From reports of the breach to the Government’s response

Introduction

On June 12^th, Several media reports claimed that the CoWIN portal had been breached, and data of all the people who got vaccinated and registered on this portal are available to the public. Media Reports stated that data was accessible via a bot on Telegram.

Later, on the same day, both the health and Information Technology (IT) ministries refuted the claims made in these reports unequivocally. They have clarified their position and found the source of information available on the bot to be already accessible publicly. This clarification is based on an internal exercise conducted by the national health ministry and an audit conducted by the Computer emergency response team, i.e., CERT-In.

Timeline of Events

The issue came into the limelight with opposition MPs tweeting screenshots of information about vaccinated people being available via a Telegram Bot. There were claims of the CoWIN portal being breached and all the data being violated.

The CERT-In responded to these claims instantly and will be submitting a report swiftly per the statements of Minister of State for IT Mr Rajeev Chandrasekhar. The minister also clarified that there had been no breach of the CoWIN portal’s data. Secondly, he stated that the source of the data available was a Threat actor database. IBM defines a threat actor database as a database used by malicious actors to cause damage to digital assets such as a device or a system(s). These threat actors target a system’s vulnerabilities and perform various attacks, from phishing to malware. Thirdly, he stated that the information was already in the public domain and was part of previously stolen/breached data. Thus, the information made available by the Telegram bot is not from CoWIN Portal.

The CERT-In, by its initial report, has found that the back end of the Telegram bot could not access the personal information of the CoWIN portal. This Is because the data is accessible only by OTP, i.e. One-time passwords. It stated that all three modes of accessing Personal Identifiable Information (PII) of the CoWIN Portal, i.e., authorised user access post authentication, beneficiary board access and third-party access, were protected by an additional requirement of OTPs.

Privacy Paradigm In India

The incident mentioned above reflects how important the employment of Data privacy practices is in the modern age. Digitalisation has entered all sectors in one form or another, whether government or private structures, data-driven functioning is taken across the board.

Courts and the Constitution

The privacy rights regime in India was established and spearheaded by the Courts. Initially, the apex court was averse to the idea of the Right to privacy in India being a Fundamental right. The Supreme Court of India, in the 1962 Judgement of Kharak Singh vs. State of Uttar Pradesh ((1964) 1 SCR 332), ruled that there is no fundamental right to privacy. The Supreme Court of India later overturned the 1962 ruling in its 2017 Judgement in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. Judgement (2017) 10 SCC 1. The Puttaswamy judgement recognised the Fundamental Right to privacy per Article 21 of the Indian Constitution.

Although the Right to privacy has been recognised in the Constitutional Scheme, its implementation can only be enforced if the Government and the private sector conform to Data privacy practices. In The CoWIN incident, by preliminary reports, it is evident that prima facie, employing a One-time password authentication mechanism was key behind the Portal data not being breached.

Practices for Ensuring Data Privacy & Protection

There are Similar data privacy practices apart from the One-time password authentication mechanism. These can be used by the Government and private organisations managing large volumes of data to protect the Right to privacy of their clients. These include:

Formulation of a comprehensive framework of laws and regulations. These laws and regulations will ensure that there are guidelines provided regarding the storage, collection, handling and processing of data. Published in 2022, The Draft Digital Personal Data Protection Bill intends to establish guidelines concerning the subject mentioned above, such as Data Processing and storage. It also aims to establish the responsibility and liability of Data Fiduciaries to Data Principals.

Also read Concerns of Consent under the DPDPB: Compliance Requirements.

Privacy by Design Principles. This involves ensuring that the Privacy and data protection Principles are embedded in the design and foundation of the development of the digital system. The system is oriented and organised to promote privacy and reduce data protection vulnerabilities. These principles include but are not limited to anonymisation or pseudonymisation of data, which is personally identifiable information, data minimisation techniques, and enforcing privacy control measures.

Training Employees. This will ensure that the organisation incorporates and encourages a data privacy and protection culture. It will also ensure that the employees are well equipped to oversee situations where Data privacy may be compromised and implement data privacy and protection practices, which will minimise the risk of any data breach or reduce the chances of success of a Cyber-attack.

Employing strong Data Protection Measures. Robust Data protection measures are key to safeguarding the confidentiality of personal or critical data. This can be done by employing strong security protocols such as using encryption mechanisms to reduce data vulnerabilities while it is in storage or transit and by employing secure access controls. Privacy impact assessments can aid in being aware of the vulnerabilities of the system and consequently remove them.

Future Privacy Developments in Indian Jurisdiction

Apart from the Draft Digital Personal Data Protection Bill, 2022 which is expected to be introduced in Parliament in the Monsoon Session., A Digital India Act is also proposed, which is expected to replace the IT Act 2000 so as to cater to the demands of the modern digital age. Also, Per the IT Minister, a national data governance policy has already been finalised and is expected to be officially notified soon. The draft National Data Governance Policy Framework was released in 2022. The minister stated that this policy would deal with creating one common framework of security standards, data storage and data access across the Government.

Also read The Digital India Act: An Analysis.

Conclusion

Though as per preliminary reports, it can be inferred that the Government was able to avoid a potential data breach due to employing data authentication protocols like the One-Time password mechanism. There still persists a risk of violation of an Individual’s Right to privacy and the absence of a mechanism in lack of any comprehensive law or regulation in place. Enactment of legislation like the Digital Personal Data Protection Bill and the Digital India Act will not ensure that a legal mechanism Is in place for individuals to claim their grievances and keep Data fiduciaries in check without moving to Courts. It will also ensure the modernisation of laws and regulations that is necessary to cater to the demands of the modern world well-paced into a digital, globalised system now.

Tsaaro helps organisations in ensuring compliance with the privacy laws by equipping professionals with the skills required. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Stay updated with all the recent developments in the global as well as Indian Privacy Regulation paradigm, contact us at info@tsaaro.com.