The database of India’s Covid-19 digital vaccination booking service may have been compromised, reports and screenshots suggested on Monday. The first of these came from a Malayalam website The Fourth, and subsequent disclosures showed personal information such as date of birth, identity numbers and the location of last vaccine dose for an individual could be retrieved by entering their phone number. The government dismissed the reports as false but said it was initiating an internal review. There were suggestions that the breach may have happened elsewhere (where isn’t clear) and previously (when isn’t clear). For any individual, establishing identity is critical for access to most, if not all, utilities and services. Establishing identity usually rests on two tiers of verification: Consistency of information (an individual alone would know their full date of birth, for instance), and documentary evidence (Aadhaar or passport numbers). Together, these are known as personally identifiable information, or PII. The screenshots list both.
Indians are no strangers to data breaches – almost every individual with a mobile number and a credit history figures in reams of lists that spammers rely on to inflict what is now a daily menace. But a leak of information such as in the CoWIN breach, if true, can become far more insidious. The potential for harm from such information being public extends beyond spam: An attacker armed with such data can feasibly steal a target’s identity and break into their bank accounts. It becomes even more dangerous when foreign adversaries are taken into account, since a database such as CoWIN will have included – as many screenshots have suggested – the PII of politicians and people in sensitive jobs.
The government’s response leaves much to be desired. Official denials in such cases of alleged data breaches often appear knee-jerk – recall when the premier All India Institute of Medical Sciences in New Delhi was hacked last year, and the subsequent chaos demonstrated that it was not as mild an incident as initially made out. Cybersecurity breaches have become a difficult but almost inevitable reality that countries and companies around the world have begun to live with, but where India needs to do more is put in laws and processes to reduce the likelihood of such events. And the first step in that direction needs to be a law that places the necessary protections on privacy and fixes accountability for those that violate it. Nothing less will do.
