The reports of a major data breach in the Covid-19 vaccine tracking platform CoWIN, leading to the leaking of sensitive personal information of millions of vaccine recipients, have revived privacy fears. The Centre’s response to the development raises more questions than it answers. It is time for a relook at the safety regime and allay doubts about the security aspects of e-platforms. At risk may be personally identifiable information (PII) of people, since the data appeared to include identity documents and details of people who signed up to get the vaccines, which can be booked only via the digital service. The leak, which evoked contradictory signals from the government, has once again highlighted the urgent need for a robust data protection policy. The data, accessed by a bot on the messaging application platform Telegram, included details like Aadhaar, passport and PAN card numbers and the vaccination centre where the user received the shot. However, if users used a mobile number instead of the Aadhaar number, the information could still be accessed. In addition to this, the passport numbers of individuals who updated their CoWIN portal for international travel were also exposed. The possibility that this could be previously stolen data adds to the mounting concerns. Despite frequent instances of hacking and leakage of sensitive public data, there have been no efforts on the part of the government to create a national cybersecurity doctrine or even a workable policy. Every citizen providing information to a database would expect regular risk assessment, with a mandated policy to monitor the inbuilt safety provisions.
The hacking has exposed the vulnerabilities of the platform. In November last year, the AIIMS cyberattack prompted a series of remedial measures. A critical input was that organisations should ensure network segmentation, under which a computer network is divided into sub-networks, to improve security and isolate vulnerabilities. Also underlined was the utility of having a security information and event management solution that helps collect data from various sources to provide real-time visibility of security events. Formalising an incident response plan to minimise the damage and compulsory cybersecurity training for staff were stressed. Keeping track of cybercrime to detect the latest tactics being employed by hackers becomes imperative to safeguard systems and ensure the confidentiality of sensitive information. The government’s e-dependency outreach demands accompanying systems that protect the digital citizen. The CoWIN breach is the latest in a series of similar incidents that occurred in the past. Unfortunately, they were ignored. For instance, the 2017 Hitachi data breach became a trailer for the 2019 attack on the Kudankulam nuclear reactor, which was then followed by the detection of cobalt strike malware. As India’s internet base continues to grow exponentially, a parallel rise in cyberthreats has raised concerns. The sophistication of cybercrimes is also increasing with the advancement of digital technology.