By Anuradha Gandhi and Rachita Thakur
A report by US based cyber-security firm, Resecurity, (hereinafter referred to as the “Report”)has disclosed a serious data breach wherein personally identifiable information of 815 million Indians has been put up for sale on dark web. Details such as Aadhaar, passport information along with names, phone numbers and addresses are available.1
The hacker with a handle on Platform X (formerly known as Twitter) advertised the Aadhaar and passport information along with names, phone numbers and addresses which as claimed by the hacker were extracted from the Covid-19 test details of citizens registered with ICMR.
As a proof, the hacker posted the spreadsheets with four large leak samples with fragments of Aadhaar data, which are identified as valid Aadhaar card IDs. The said information is believed to be collected and maintained by the Indian Council of Medical Research (ICMR) during Covid-19 testing.2
The Computer Emergency Response Team of India (CERT-In) has also alerted ICMR about the breach. However, the covid-19 test information is also scattered across various government bodies like the National Informatics Centre (NIC), ICMR, and the Ministry of Health thereby making it challenging to identify where the breach originated from.
Recent cyber-attack on healthcare data
Earlier in 2022, All India Institute of Medical Sciences (AIIMS) had also faced an incident of data breach. Cybercriminals had hacked into the servers of AIIMS and took charge of more than 1TB of data at the Institute asking for hefty ransom. This led the Institute to switch to manual record keeping process thereby slowing down the processes at the Institute.
The Digital Personal Data Protection Act, 2023
The new legislation on data protection, the Digital Personal Data Protection Act, 2023 (hereinafter referred to as the “Act”) has been enacted to tighten the data protection landscape of India. The contours of the Act revolve around the three parties namely, Data Fiduciaries (who collects the data), Data Principals (whose data is collected) and Data Processors (contractually obligated to process the data of behalf of Data Fiduciary).
To ensure safety, security and prevention of such incidents of data breach, the Act entrusts the Data Fiduciaries with certain responsibilities as to protection of personal data of Data Principals through adequate technical and organizational measures. The CERT-In Cybersecurity Directions, 2022,3 classifies 20 types of cybersecurity incidents that need to be reported to CERT-In within six hours of noticing such incident.
Though the rules are awaited, the Act clearly mentions about the Data Fiduciaries’ responsibility to inform Data Principals along with the Data Protection Board about the incident of data breach. In case of non-compliance with the provisions of the Act, the Act prescribes significantly high penalties amounting up to INR 250 Crores.
The Act also entrusts the Data Principals with the right to authenticate the personal data shared with the Data Fiduciaries, the right to withdraw consent and the right to request erasure of their personal data.
Such incidents of data breach necessitate a robust data protection legislation with rules therein to prevent data breach and mitigate the losses arising therefrom. The Digital Data Protection Act, 2023 can be said to be a step ahead in the right direction and will improve India’s standing in the world forum of data protection laws.
3 Issued under the Section 70 (B) (6) of the Information Technology Act, 2002 on April 28, 2022