The Government of India prefers ostriches to elephants. It chooses to bury its head in the sand — ostrich-like — every time there are serious allegations against it instead of addressing the elephant in the room, which, this time, is the alleged data breach of the CoWin portal. It has been reported that sensitive information like Aadhaar and PAN numbers, date of birth and so on of many Indians registered on the CoWin portal — the website claims to have over 1,10,92,28,656 registrations — are available on the messaging application, Telegram. The government — as is its wont — has been firm in its denial about the breach. A Union minister first admitted that a Telegram bot was, indeed, throwing up CoWin data, but that this was data from a previous breach — as if that is some consolation. He then went on to clarify that the previous breach was not of the CoWin app; ultimately a press release was issued to convey that CoWin is “completely safe”. But citizens are unlikely to rest easy. The minister’s affirmation of CoWin’s invulnerability flies in the face of, say, the revelations of not only the number of vaccination doses but also the centres where they were taken. Worryingly, this is also not the first time that such a leak has been reported. In June 2021, hackers claimed to have a database of about 15 crore Indians from the CoWin portal. Health authorities had rubbished the claims on that occasion but are now referring to a previous leak. This kind of confusion — a wilful game of smoke and mirrors — does not inspire confidence.
The inability to spot where the breach occurred is worrying. This is because other repositories of personal and health information may well be at risk. CoWin data are apparently linked to the Aarogya Setu app and the UMANG app, not to mention the National Digital Health Mission, which has patients’ medical records that can be accessed anywhere in the country. Denial and opacity had also been the hallmarks of investigations into previous data breaches in the public sector, including the one on the Employees’ Provident Fund Organisation in August 2022 and the ransomware attack on the All-India Institute of Medical Sciences in November 2022. Together, they raise valid concerns about the security of some of India’s digital portals.
Meanwhile, the National Cyber Security Strategy — a draft put out for public consultation in December 2019 — still awaits finalisation. India also does not have any data protection law that can mandate breach notifications to impacted users. Further, the draft digital personal data protection bill, 2022 would exempt government entities from compliance; a breach such as this one is likely to remain unaccountable. Digital India is worth aspiring for but not without adequate safety measures that must uphold the privacy and the dignity of citizens.
