Cowin Leak - Why was this breach significant?
On 12th June, several news reports started making rounds on social media about the possible breach of the Cowin Portal/App and they mentioned that the breach had leaked personal information including critical identifications like names, birth year, Aadhaar numbers, passport, mobile, PAN numbers of the individuals and their families who had enrolled for vaccination on Cowin Portal/App etc. Plugthebreach estimates that nearly 1000 million users have been affected by the breach. The Minister of Electronics and Information Technology denied any leak though he acknowledged that there was some breach in the past, but denied any information on how the breach had taken place.
Post-pandemic, myriad digitisation policies were introduced by the Government in the health sector. Arogya Setu app, CoWin web portal and app, Ayushman Bharat Digital Mission etc. are some of the examples of digital interventions. Initially, the citizens were asked to register mandatorily on the CoWin portal to receive the vaccine. National Digital Health Mission was also introduced and in many cases, citizens' IDs were created without their informed consent. Therefore, the leak from the CoWin portal was significant as it exposed the personal and sensitive information of the citizens who have registered themselves on the portal, and their privacy was violated.
Summary of the Webinar deliberations
Article 21 Trust, in collaboration with RootConf, conducted a webinar on 16th June 2023, to discuss the wider and possible harmful ramifications that the breach could have caused and to sensitise the citizens about their valuable right to privacy. The aim was also to discuss how the data protection law will make the entities entrusted with the data, accountable in cases of the breach. The Webinar also discussed the compensatory aspects in the absence of a robust data protection regime.
Rishu Mehrotra- Technology Leader, Merkle Science, Rootconf Community, Arjun BM- Chief Security Architect, Finastra, Editor, Rootconf Security Track and Tejasi Panjiar- Associate Policy Counsel at Internet Freedom Foundation (IFF) participated as panelists. The webinar was moderated by Maansi Verma, Trustee, Article 21 Trust and Ria Singh Sawhney from Rethink Aadhaar Campaign.
Speaking in the webinar, Tejasi Panjiar highlighted that data breaches can result in financial losses, may cause damage to the reputation and may lead to profiling, and surveillance of the minorities and marginalised people and can lead to the creation of 360-degree profiles of the citizens. She also noted that the adjudicating officer appointed by Meity to determine about breach would not be able to do justice and therefore an amendment is needed to appoint judicial officers as adjudicating officers. Speaking on the Digital Personal Data Protection Bill (now an Act), she lamented that the compensation aspect is missing from the draft of the Bill and that Section 43A of IT- which makes a provision for compensation is being deleted from the Act, which means that data principal shall have no recourse of compensation in cases of breach.
Arjun BM speaking at the event said that there is no concept of absolute security and it's just about reducing the risk to an acceptable level and making it as difficult for hackers as possible so that we're always one step ahead of them. He also said privacy and security are parallel in terms of importance. When we look at concepts like security by design, security by default, security impact assessments security engineering, we have those same parallel concepts like privacy engineering, privacy by default, and privacy impact assessments. These concepts are gaining traction, focus and importance, especially in the private sector, in corporate organizations where there are separate dedicated privacy professionals who take care of this in terms of product design and answering customer queries etc. He urged citizens to be more aware of their rights and asked them to be more cognizant about what they are signing up for or even when they are installing any mobile app or utilizing any software.
Rishu Mehrotra noted, while speaking on the disclosure and investigation part of the Cowin data leak, that we will never get to know as to what exactly has happened. Whether it is Corporate or government usually the full picture is not disclosed. This could be because of exposing more vulnerabilities. Even if you look at corporate hacks that have happened in the past they usually involve a lot of Technology jargon or a technology term that a lawman can not understand. While stating that as per the agreement where the data is exchanged between parties and there is a breach, the party sharing the data may inform the receiving party that it will not receive the data any further, and may even blacklist it too, raised concern about the data that it already shared and has become tough to eliminate the same. He concluded by saying that as citizens, we have to be very aware of how information is going to be consumed and it's very difficult to ask people to become overnight experts on cyber security, and as a citizen one of the things is that we must be aware of what our rights are.
Please watch the full discussion here.