Cong slams Rajeev Chandrasekhar for 'data breach' of 1.4bn people (Ld)

New Delhi, June 12 (IANS) The Congress on Monday criticised the government over the alleged data breach of the Covid vaccine beneficiaries, dubbing it as a very grave matter with serious implications for privacy, making everyone vulnerable to financial fraud.

The Congress also slammed Union Minister of State for Electronics and IT Rajeev Chandrasekhar, saying instead of issuing casual "WhatsApp forward-style tweets, he should clarify at the very least".

In a tweet, Congress General Secretary Jairam Ramesh said: "The personal data breach is a very grave matter with serious implications for privacy, security and makes us all vulnerable to financial frauds. The tech-savvy Minister instead of issuing casual WhatsApp forward-style tweets should hold a Press Conference at the earliest and clarify at the very least."

Firing questions at the government, the Rajya Sabha MP said: "What does he mean by 'previously stolen data stolen in the past' - stolen from which database, when, and what action was taken? If the CoWIN database hasn't been 'directly breached', is the Minister then accepting that it is an indirect breach? What other databases are linked to the CoWIN database that has led to this vulnerability?"

Ramesh also asked what immediate steps the Narendra Modi government is taking to secure the personal data of crores of Indians who trusted the government to keep their details safe.

Even earlier, Congress general secretary (organisation) KC Venugopal on Monday hit back at Chandrasekhar, saying that he was appalled at the minister's casual response regarding the breach of privacy of 1.4 billion Indians.

Venugopal engaged with Chandrasekhar after Trinamool Congress spokesperson Saket Gokhale alleged that the data of several citizens, including politicians and journalists, who took Covid vaccine, has been leaked and asked why the Centre was not aware of the incident.

In a response to Chandrasekhar's tweet, Venugopal, who is a Rajya Sabha MP said, "I am appalled at your casual response to the breach of privacy of 1.4 billion Indians. If a Telegram bot can throw up CoWIN details simply by inputting mobile numbers, it will not take too long for an automated software to harvest all COWIN data within a matter of hours."

The Congress leader said that this breach clearly shows that CoWIN data was not encrypted.

"If it were, only those with the necessary authorisation will be able to access such data, and random Telegram bots will not be able to decrypt such personal data," he said, adding that "since you mention 'previously breached/stolen data,' you're clearly admitting that CoWIN data has already been breached. It is then baseless for you to say that it 'does not appear' that the CoWIN app has been breached."

"Until June 2021, nearly 6 months after the vaccination process began, the CoWIN app had no privacy policy and the government even refused to put one in place," he said.

He said that in 2017, the Supreme Court declared the Right to Privacy as a fundamental right.

"The government also gave an assurance that a data protection law was in the making. From the time of the constitution of the Srikrishna Committee on Data Protection in 2017 until today, we have seen multiple versions of the Data Protection Bill, countless rounds of consultation, and a Joint Parliamentary Committee. Except, in its last move, the government decided to completely start afresh, instead of rectifying the lacunae in the draft legislation," he said.

"The duty of any entity, especially the government, is to protect individual privacy above everything else. This responsibility also extends to destroying data which is no longer required, so that it is not vulnerable to such breaches. If not, the entity must have watertight mechanisms to protect data in its custody. No step taken by the government, be it in managing health data through CoWIN or Aarogya Setu, or in implementing any data protection framework, inspires confidence.

It is clear that no citizen can trust this government with its private information. Only an impartial, high-level judicial probe into the government's entire data management apparatus can identify the extent of danger that is posed to our privacy as a result of this government's carelessness," Venugopal added.

His remarks came after Chandrasekhar in a tweet said, "With reference to some alleged CoWIN data breaches reported on social media, CERT-In has immediately responded to the threat and reviewed it."

"A Telegram bot was throwing up CoWIN app details upon entry of phone numbers. The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past," the minister said in a tweet.

The minister said that it does not appear that the CoWIN app or database has been directly breached.

The National Data Governance policy has been finalised that will create a common framework of data storage, access and security standards across all of the government," Chandrasekhar said.

Meanwhile, the Union Ministry of Health and Family Welfare (MoHFW) on Monday dubbed the alleged data breach of Covid-19 vaccine beneficiaries as "mischievous in nature", saying that the CoWIN portal is completely safe with adequate safeguards for data privacy.

The Health Ministry said that it has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report, besides initiating an internal exercise to review the existing security measures of CoWIN.