Following claims of a data breach on the CoWIN platform, the Congress on Monday demanded a high-level judicial probe into the entire data management apparatus of the Centre to identify the extent of the danger posed to the privacy of all Indians,
Amid the ongoing row over an alleged data breach, the government has asserted that the CoWIN portal is completely safe with adequate safeguards for data privacy, dismissing as "mischievous" the claims of a data breach on the platform, and said the matter has been reviewed by the country's nodal cyber security agency CERT-In.
Who said what?
Reacting to data leak claims, the minister said that "it does not appear that the CoWIN app or database has been directly breached".
"With reference to some alleged Cowin data breaches reported on social media, @IndianCERT has immediately responded and reviewed this.
"A Telegram Bot was throwing up Cowin app details upon entry of phone numbers. The data being accessed by bot from a threat actor database, which seems to have been populated with previously stolen data stolen in the past," he tweeted.
The minister later also clarified that he had referred to "previously breached or stolen data from databases other than CoWIn".
The Congress leaders hit out at Union Minister of State for Electronics and Technology Rajeev Chandrasekhar, alleging that his response on the grave issue has been "casual".
Congress General Secretary (Communications) Jairam Ramesh asked, "If CoWIN database hasn’t been “directly breached”, is the Minister then accepting that it is an indirect breach? What other databases are linked to the CoWIN database that has led to this vulnerability?"
In 2017, the Supreme Court declared the Right to Privacy as a fundamental right, he said, noting that the government also gave an assurance that a data protection law was in the making.
From the time of the constitution of the Srikrishna Committee on Data Protection in 2017 until today, "we have seen multiple versions of the Data Protection Bill, countless rounds of consultation, and a Joint Parliamentary Committee", he said.
"Except, in its last move, the government decided to completely start afresh, instead of rectifying the lacunae in the draft legislations," the Congress leader said.
Ramesh said the personal data breach is a very grave matter with serious implications for "privacy, security and makes us all vulnerable to financial frauds".
"The tech-savvy Minister instead of issuing casual WhatsApp forward-style tweets should hold a Press Conference at the earliest and clarify at the very least," he said, referring to the minister's mention of stolen data.
Party General Secretary (Organisation) K C Venugopal said the duty of any entity, especially the government, is to protect individual privacy above everything else.
This responsibility also extends to destroying data which is no longer required so that it is not vulnerable to such breaches, he said.
"If not, the entity must have watertight mechanisms to protect data in its custody. No step taken by the government, be it in managing health data through COWIN or Aarogya Setu, or in implementing any data protection framework, inspires confidence," he said.
"Only an impartial, high-level judicial probe into the government’s entire data management apparatus can identify the extent of danger that is posed to our privacy as a result of this government’s carelessness," Venugopal said on Twitter.
Venugopal claimed if a Telegram bot can throw up COWIN details simply by inputting mobile numbers, it will not take too long for automated software to harvest all COWIN data within a matter of hours.
"This breach clearly shows that COWIN data was not encrypted. If it were, only those with the necessary authorisation will be able to access such data, and random Telegram bots will not be able to decrypt such personal data.
"Since you mention ‘previously breached/stolen data,’ you’re clearly admitting that COWIN data has already been breached. It is then baseless for you to say that it ‘does not appear’ that the COWIN app has been breached," he said.
Congress spokesperson Shama Mohamed alleged,"The Modi government has compromised the security and privacy of Indians! This is criminal negligence!"
Congress MP Karti Chidambaram also tweeted, "In its Digital India frenzy, GoI has woefully ignored citizen privacy. Personal data of every single Indian who got COVID-19 vaccination is publicly available. Including my own data. Who let this happen? Why is GoI sitting on a data protection law? Ashwini Vaishnaw must answer."
In its statement, the health ministry said there was no basis for the reports alleging the breach of data from the CoWIN portal, which is the repository of all data of beneficiaries who have been vaccinated against COVID-19.
"It is clarified that all such reports are without any basis and mischievous. The Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy," it said.
Furthermore, security measures are in place on the CoWIN portal with a web application firewall, regular vulnerability assessment, and Identity and Access Management, it said.
(With PTI Inputs)