On a day India was hosting a G20 meeting on creating digital public infrastructure, the revelation of a major data breach sparked off hours of furious speculation. A channel on the messaging service Telegram allegedly offered access to a database of Indians who had taken the COVID-19 vaccines, along with details of their phone numbers, date of birth, Aadhaar and passport details.
Government issued a statement that the data was safe, the reports were “mischievous” and no such breach had taken place. The Union Minister of State for Information Technology Rajeev Chandrashekhar offered a more nuanced take on Twitter. “The data being accessed by bot from a threat actor database seems to have been populated with previously stolen data in the past”. He went on to clarify that CERT-In had pointed out that the “breached or stolen data” came from databases “other than Cowin”.
What surprised security researchers was the accuracy of the data that the Telegram Bot was delivering. As soon as they entered a known mobile number, it threw up vaccination details associated with it. Their names, date of birth, Aadhaar or Passport details and place of vaccination. If other members of a family were mapped to the same mobile number for vaccination, those would show up as well.
When five data points – name, phone number, identity number, date of birth and place of vaccination – began to match, many security researchers were convinced that the breached database was genuine. So where was this data “stolen” or “accessed” from?
Identify Perpetrators, Fix Accountability
Earlier major data breaches in India have led to similar debates. When ransomware locked out the sensitive database of patients from the prestigious All India Institute of Medical Sciences (AIIMS), there was denial, followed by days of suspended operations. When the Kudankulam Nuclear Plant was breached, government issued a denial, only to reverse it within hours, claiming that while some IT functions had been disrupted, the operational technology systems that run the plant were safe.
Before the Kudankulam nuclear plant breach, a hack into a service provider that manned ATMs for several banks led to an admission in Parliament that 2.9 million debit and credit cards had to be recalled since they were compromised or infected.
While there are indicators behind the data breaches or ransomware attacks, Indian agencies have consistently failed to find the perpetrators behind them. This reveals a worrying gap in India’s ability to prevent attacks and secure its cyberspace.
The denial allows the real perpetrators to get away. It also removes any accountability of those tasked with protecting India’s cyberspace. Worse, it exposes ordinary citizens and makes them vulnerable to further attacks and data breaches.
Unlike physical thefts, where stolen goods can be recovered and returned to its rightful owner, stolen data can’t be returned. Once a database is breached, the data is compromised forever. Unless the data is changed, these details remain at the disposal of hackers to target hapless victims. But it is impossible to change some data, like the date of birth, or an allotted Aadhaar number. Data, once lost, is never recovered.
What Needs To Be Done
One of the foundational principles in risk management is Courtney’s Third law, which states that there are no technical solutions to management problems but there are management solutions to technical problems. In India’s case, the problems are both technical and managerial.
There are two dedicated organisations for Cyber Security (CERT-In and NCIIPC), but their budget allocations are nowhere near what is required to safeguard the various systems that they are supposed to protect. The lack of resources thus creates both a management and technical problem, as they can neither build capacity nor have a seat at the table, during system design of various digital governance initiatives, to advise and inform on cyber risk.
While passing a privacy bill would be a great signal that the government cares about citizen data, law is no substitute for money. Perhaps the time has come for mandating allocation of at least one percent of any e-governance project towards cyber security, in the upcoming Digital India Bill, apart from giving a dedicated budget upwards of Rs 1,000 crore to both CERT-In (Indian Computer Energy Response Team) and NCIIPC (National Critical Information Infrastructure Protection Centre) separately.
The AIIMS ransomware attack revealed what was known for years that health is a critical sector as well. Soon after the attack, this sector was added to NCIIPC’s list of critical information infrastructure sectors. However, since the notification is pending, CERT-In was the first responder.
It is a globally recognised fact that cybersecurity is a shared responsibility. No single agency or organisation will be able to stop future attacks. India has one of the most talented groups of information security professionals in the world. However, they have never been tapped in a meaningful manner, be it for research or for operational deployments. Amid agencies and individuals working in silos with low budgets, India is just one attack away from catastrophic failure.
Saikat Datta and Anand V are co-founders of DeepStrat, a think tank and a firm that specialises in risk management. Views are personal, and do not represent the stand of the publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
