CoWIN Data Breach Reveals Security Gaps In India's Critical Information Infrastructure

CoWIN data breach | Representative image | The Probe

A few days ago, the Intelligence Fusion and Strategic Operations (IFSO) unit of the Special Cell of the Delhi Police filed an FIR in the CoWIN data breach case and arrested two brothers from Bihar. They allegedly used their mother's CoWIN ID to leak data. According to the police, the brothers gained unauthorised access to information on the CoWIN portal and created a bot to carry out a CoWIN data breach on Telegram. However, investigations revealed that the brothers only obtained data from a few individuals in Bihar. The large volume of leaked data on Telegram indicates the involvement of numerous non-state actors in breaching government data. Despite this, the government still seems to grapple with protecting citizens' data and safeguarding their privacy.

Pawan Duggal, Supreme Court advocate and cybersecurity expert speaks to The Probe's Rageshree Sengupta on the CoWIN data breach

Hackers often target health data due to its high value in the dark market. This type of data fetches a premium price because it provides a wealth of information. Beyond just revealing an individual's health parameters and medical conditions, it offers insights into potential areas where the person may require assistance. These areas can include health-related needs and financial vulnerabilities, making medical data a fertile target for criminals. The information contained in medical data goes beyond simple health records. It can include details about medications, treatment plans, diagnoses, and even sensitive personal information such as unique ids or insurance details. 

Also Read | India Unequipped To Handle Rising Cybercrimes

Shashank Shekhar, an independent journalist and the founder of Future Crime Research Foundation (FCRF), an IIT Kanpur incubated NGO, states: "It is highly concerning that a significant amount of healthcare data is being sold on the dark web, comprising an individual's personal contact information, healthcare details, bank details, and more. This data is considered to be a hot property on the dark web. Once these malicious actors access your details, they possess valuable knowledge about you, ranging from your blood group to your ailments and medications. The government must establish a robust healthcare infrastructure with regular audits to contain this. Presently, there are no checks and balances in place. Government hospitals are witnessing a free-for-all scenario where anyone can access and manipulate this data. The absence of security measures seriously threatens the protection of citizens' data."

In the second week of July, reports surfaced regarding a data breach of CoWIN on the messaging platform Telegram. It was claimed that a Telegram bot had accessed CoWIN data, leading to concerns about the security of citizens' information. In response to these reports, Rajeev Chandrasekhar, the Minister of State for Electronics and IT, stated that the Indian Computer Emergency Response Team (CERT-In) had investigated the alleged breach and determined that the CoWIN portal itself was not directly compromised. According to Chandrasekhar, the data being shared on Telegram, including citizens' Aadhaar and passport numbers, was sourced from previously breached databases and not obtained through a direct breach of the CoWIN system.

Also Read | Proposed Data Protection Bill Faces Scrutiny Over Government Control and Powers

To clarify the situation, the Health Ministry issued a press release which essentially dismissed the possibility of CoWIN's APIs (Application Programming Interfaces) being utilised by the Telegram bot to obtain the data. However, these statements from the government have left many questions unanswered and have raised further doubts regarding the incident.

What may have caused the Cowin data breach

Rahul Sasi, co-founder and CEO of cyber-security firm CloudSek, provides insights into the possible causes of the data breach. He explains, "Our initial analysis found that health workers' passwords were leaked on the dark web. These health workers uploaded the details of the citizens on the government website. The health workers' usernames and passwords were leaked on the dark web, which may have facilitated unauthorised access to the data". Sasi further suggests another possibility, stating, "The second assumption is that there was an unauthorised leak of the API which the attackers may have used. That is what was used to run the Telegram bot. We feel the attackers had access to one of the internal APIs".

Pawan Duggal, a Supreme Court advocate and cybersecurity expert, describes the CoWIN data breach case as a national emergency. He emphasises that CoWIN is not an ordinary application but rather India's critical information infrastructure, housing citizens' data. Protecting this data is of utmost importance, as any compromise in its security can have far-reaching consequences, jeopardising India's sovereignty, security, and integrity. Duggal points out that ransomware attacks have been escalating rapidly, with alarming statistics suggesting that by the end of 2023, a company could fall victim to such attacks every 9 seconds, compared to every 11 seconds in 2022.

In Duggal’s words: “The AIIMS ransomware attack that took place last year was a wake-up call because extensive data of Indians had been compromised, and now, in less than a few months, we have an attack on CoWIN. This sequence of events serves as a stark reminder of the vulnerability of critical systems and the urgent need to implement robust cybersecurity measures to protect sensitive information. The recent breach of CoWIN, targeting India’s health data and the well-being of its citizens, further underscores the severity of the situation. It is imperative that we view this as a national emergency, given CoWIN’s criticality as India’s central health information repository. The escalating frequency of ransomware attacks calls for immediate action to bolster cybersecurity defences.”

The government can’t be in a perpetual denial mode when its systems have been breached

Duggal further adds that each time there is a data breach, the government should acknowledge data breaches instead of denying them. “Many times in the past, we have seen how the government had denied such breaches. But now, since the screenshots and details of the data that has been breached are there on the online space, it is high time that this entire case is investigated from a criminal standpoint.” Duggal highlights the importance of treating these breaches as criminal offences.

Stressing the significance of government transparency in the face of data breaches, Shekhar says that the government should openly disclose the scale of the attack to the public. “Whenever there is a data breach, the government should be very open about it and inform the people about the attack’s magnitude and scale so that people can be prepared. This disclosure is very important; otherwise, how can the public at large be ready to face any eventuality?”

Also Read |  India Unequipped To Handle Rising Cybercrimes

Dr Prashant Mali, a cyber expert and lawyer practising in the Bombay High Court, highlights the conflicting views within government agencies regarding the data breach. He states, “There are conflicting views from various government agencies. On the one hand, the health ministry has said that there is something which they want to investigate. On the other hand, the Ministry of Electronics and Information Technology (MeitY) has said that nothing has been leaked, and whatever leak has happened has happened from previous databases and segments from different contact points. There is negligence in following reasonable cybersecurity practices, which may have led to the massive data leak from different contact points”.

India still does not have laws in place to tackle cyber attacks

“Indian cyber law - the Information Technology Act 2000 is not a cybersecurity law. It was amended in 2008 to include the legal definition of cybersecurity and also to put in certain cosmetic provisions of cybersecurity, but by and large, it is not adequate to deal with the huge myriad of challenges that cybersecurity breaches are throwing up. We need a new cybersecurity legal framework,” asserts Duggal.

He says, "India does not have a dedicated law on cybersecurity. We also don't have a dedicated law on privacy or data protection. India also doesn't have a dedicated ministry on cybersecurity, similar to Australia or the Middle East. So, consequently, every ministry potentially believes that cybersecurity is its turf. This is a unique policy vacuum, and at such a time, the CoWIN data leak represents huge new problems that the stakeholders need to be mindful of".

Duggal emphasises the limitations of CERT-In and states, “CERT-In is investigating the CoWIN data breach case, but the fact is that CERT-In does not have investigative powers that the law enforcement agencies have, and therefore, it intrinsically lacks the capacity to take action which is of penal nature”. He further asserts, “Apart from CERT-In, I am of the firm opinion that an FIR needs to be lodged and the matter needs to be criminally investigated by the police because these are various offences that have been committed under the Information Technology Act 2000 and also under the Indian Penal Code (IPC)”.

FIRs are hardly registered, and convictions are abysmally low

In today’s interconnected world, the threat of cyberattacks looms large, and governments are not immune to this growing menace. With India’s vast population and extensive datasets, the country finds itself at the forefront of a virtual battle. Hackers and attackers are constantly evolving their techniques, but unfortunately, India’s legal framework has not kept pace with these advancements. This has resulted in a pressing need for a more proactive approach from the government to combat cybercrimes. 

Shekhar explains, “Let me be very honest. On a daily basis, government organisations’ data is being hacked. Unfortunately, in cybersecurity, the convictions are awfully low. There is so much inefficiency in the current system that even when numerous complaints are lodged, only a fraction of them progress to FIRs (First Information Reports). Furthermore, the abysmally low conviction rates in India fail to instil fear in the minds of cybercriminals, allowing them to operate with impunity”. 

Also Read |  The WhatsApp Privacy Policy Saga: India’s Data Protection Regime And You

What can you do if your data is breached?

Justice Puttaswamy’s judgement asserts that individuals have a fundamental right to privacy. The judgement, commonly referred to as the “Right to Privacy” judgement, was delivered by a nine-judge bench of the Supreme Court of India in August 2017. The court held that the right to privacy is protected as an intrinsic part of the right to life and personal liberty guaranteed under Article 21 of the Indian Constitution. Under Section 43 of the Information Technology (IT) Act, 2000, entities that fail to protect sensitive personal data and information from unauthorised access or disclosure may be held liable for compensation. 

Shekhar states that there are several options within the existing framework to report cybercrimes and seek legal recourse. He says, “If your data is breached, you can dial 1930 and report it to the cybercrime helpline. You can go to https://cybercrime.gov.in/, which is the government website where you can report cybercrimes. Suppose my ID was misused to obtain a SIM card from a telecom company, and as a result, fraud was committed; in such a scenario, the police would approach me since my ID was utilised. However, many people are unaware that they also have the option to file a case against the telecom company in court, questioning why proper verification procedures were not followed before issuing the SIM card to the wrong individual. There have been instances where courts have ruled against telecom operators and banks, emphasising their failure to ensure citizens’ privacy”.