The recent disclosures made by former Twitter CEO Jack Dorsey regarding alleged government pressure on Twitter to block criticism of the Modi government during the farmers’ agitation have overshadowed a significant data leak related to Covid vaccination. This new controversy has diverted attention from the CoWin breach, which has long-lasting implications for the people of India. The stolen data includes personal details such as names, gender, birth information, Aadhaar numbers, PAN cards, passport numbers, voter IDs, and vaccination centre details. This sensitive information was made accessible through a Telegram channel, highlighting the extent of the danger posed by the breach. The Ministry of Information Technology and government agencies are desperate to downplay the threat, but their attempts to defend the situation only further expose the vulnerability. They have even resorted to emphasising the chronology of the breaches, suggesting that they relate to the past. However, once stolen, the credentials are permanently lost to fraudsters, leaving victims with no recourse. Unlike compromised passwords or similar credentials that can be changed, stolen data from sources like Aadhaar or the CoWin portal remains compromised indefinitely.
The government may believe that privacy concerns are only relevant to activists or the more informed individuals, assuming the vast majority of the population remains unaffected. However, the silent majority, while perhaps unaware of their sacred right to privacy, are potential victims of fraud just like anyone else. Minister of State for Electronics and Information Technology Rajeev Chandrasekhar’s defence of the government, suggesting that the Telegram bot seemed to be populated with previously stolen data, betrays a certain disregard for the rights of the victims. The breach itself is the concern, regardless of when it occurred. Considering the track record of various portals, including the so-called fortified Aadhaar data, the breach of the CoWin portal comes as no surprise. When the platform was launched in 2021, technology activist Anivar Aravind from Bengaluru warned about the associated risks. He had even approached the Karnataka High Court to challenge the Modi government’s decision to make the Arogya Setu app mandatory for vaccination and other services, highlighting the dangers of collecting such personal information. While Arogya Setu eventually lost its popularity, his warnings have unfortunately proven true.
Every data breach is followed by an increase in fraud, as scammers exploit the stolen data to send phishing messages across various devices and channels. Unsuspecting victims fall prey to fraudsters who use the information for nefarious activities, including financial fraud. The victims are not concerned with the technicalities cited by Rajeev Chandrasekhar and other officials; they simply suffer the consequences. For instance, the leak of the PM-Kisan Aadhaar database exposed the personal information of over 8.5 crore farmers, including their names, addresses, bank account numbers, and Aadhaar numbers. The breach occurred because the data was stored on an unsecured server, accessible to anyone with an internet connection. This means that anyone with malicious intent could have accessed the data and committed identity theft. The government’s scheme required farmers to provide their Aadhaar numbers and other personal information to receive benefits, but the breach compromised their privacy. This breach raises serious concerns about the security of government databases and highlights the urgent need for stronger security measures to protect citizens’ data. The government must ensure that its databases are secure and not vulnerable to unauthorised access. Additionally, it should guarantee that data is not shared with third parties without individuals’ consent.
