Parliamentary Probe Unveils 165 Data Breaches From 2018-23 as Reported by CERT-In

On December 8, during the ongoing winter parliamentary session, Saket Gokhale raised questions regarding the total number of data breaches of Indians that have been brought to the notice of the ministry since 2018 in the Rajya Sabha. Through his question he inquired about the specific instances of data breaches of Indians that are currently being investigated by the Ministry. Saket Gokhale is a politician and spokesperson of the Trinamool Congress. He was elected as a member of the Rajya Sabha from West Bengal. These questions were presented to Rajeev Chandrasekhar, who is the current minister of state for skill development and entrepreneurship and information technology of India. 

In its response, it was said that the government is committed to ensuring an open, safe, trusted and accountable internet for its users and has taken measures to safeguard citizen data from cyber threats. It is astonishing to note that there have been 165 data breaches from 2018-23 as reported by Indian Computer Emergency Response Team (CERT-In) and no investigations have taken place. They have mentioned that there has been no breach of data in the case of Aadhaar card information from the Central Identities Data Repository (CIDR) maintained by the Unique Identification Authority of India. The Ministry of Health and Family Welfare has implemented stringent safety measures for Co-IN App, including OTP authentication for accessing vaccination details, masking sensitive personal information, encrypting the Co-WIN database, and implementing two-factor authentication to prevent unauthorized access, ensuring citizen data protection.

Even though the government alleges no breach of Aadhaar card information has occurred, the article published by Livemint states an Aadhar data breach that took place in October 2023.  

The article talks about a report by Resecurity, a US-based cybersecurity firm that claims that personal identifiable information of about 815 million which is 81.5 crore Indians has been leaked on the dark web. Data including names, phone numbers, addresses, Aadhaar, passport information are for sale online. On 9 October, 2023, a threat actor going by the name ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million “Indian Citizen Aadhaar & Passport” records. The company also added that its HUNTER unit investigators who established contact with the threat actor, learned that they were willing to sell entire Aadhaar and Indian passport database for $80,000.

There is information regarding an alleged data leak on the CoWIN platform as can be accessed here. In this report, it is mentioned that sensitive personal data such as full name, Aadhar number, mobile number and vaccination status of innumerable citizens stored on the CoWIN platform was leaked through a Telegram bot on June 12, 2023. 

The recent parliamentary inquiry by Saket Gokhale regarding data breaches raised concerns about the government’s handling of citizen data security. Despite assurances of safeguarding data and no reported breaches in Aadhaar information, discrepancies arise from recent reports. Livemint has highlighted a potential Aadhaar data breach involving sensitive personal information of millions for sale on the dark web. Additionally, allegations of a CoWIN platform leak in June 2023, compromising citizens’ Aadhaar numbers and vaccination status, add to the growing concerns about data security measures. These incidents underscore the urgent need for thorough investigations, enhanced cybersecurity protocols, and transparent accountability to ensure the protection of citizens’ sensitive data.