Cowin data breach: Assessing the risk of recurring attacks
Minister of state for electronics and IT Rajeev Chandrasekhar says the Cowin app did not face a direct data breach. But the incident could still put sensitive personal health data of users at stake. Mint explains why such breaches could be severe and why they are so frequent:
What’s a data breach, how do they occur?
A data breach happens when a platform with user-data is compromised, leading to the data being stolen. There could be many reasons behind breaches, including wrongly configured cloud platforms where data was stored and unknown bugs (called zero-days) that are exploited by cyber criminals. Data breaches can be direct or indirect. An example of the latter would be hackers exploiting a flaw in the code in a third party app to gain access to a larger database. With an increasingly connected global industrial supply chain, more data is shared across firms, causing a rise in third-party data breaches.
What happened to the Cowin platform?
In a tweet on 12 June, Chandrasekhar said it “does not appear” that the Cowin app or database was “directly breached”. Rather, user-data from the database, which was being published on messaging app Telegram through a chatbot, was being accessed from a “threat actor database… populated with previously stolen data”. The minister’s claim points to a third party data breach, where platforms that used Cowin to verify users—common during post-pandemic travel—may have faced a breach. The union health ministry denied reports of a data breach affecting the Cowin platform.
Why do cyber attacks keep happening in India?
India has a huge number of internet users—one of the biggest markets for any digitized business. This makes India a hotbed of user-data. Cowin dashboard on Tuesday showed it had over 1.1 billion users’ data. A breach of data on any public platform could expose millions of users to a wide range of further cyber attacks such as targeted phishing and scams.
Do any firms or govt bodies face penalties?
India so far does not have a direct law for cyber security. The Indian Computer Emergency Response Team (CERT-In)’s regulations from last year penalises failure to report a data breach. NS Nappinai, Supreme Court lawyer, said, “For a data breach itself, you have Section 43A of Information Technology Act, 2000, which only holds a body corporate liable. As of now, our minimal data protection laws under the IT Act do not cover the government. Since personal data impacts the fundamental right of privacy, it is open to victims to seek remedies through court.”
What do users have at stake?
Sensitive data, once leaked, is unrecoverable—it can be accessed by any cyber criminal with intent to purchase a database. This makes users highly susceptible to scams and cyber attacks, which have also grown increasingly sophisticated in nature. “In case of a data breach, user-data is prejudicially affected for a lifetime. The lack of a dedicated legal framework means we can’t provide effective remedies to those whose data has been compromised,” said Pawan Duggal, Supreme Court lawyer.
Download The Mint News App to get Daily Market Updates & Live Business News.
Updated: 14 Jun 2023, 12:49 AM IST