81.5 crore data breach: Do we blame the Government or the hacker?

We refer to the newspaper reports about the data leak at ICMR. It is stated that data of 81.5 crore citizens is up for sale in the dark web.

While there can be a separate discussion on the possible security failure at ICMR and how such data breaches will be handled in the post DPDPA 2023 scenario, I would like to bring to the discussion table an entirely different perspective.

When such data breaches occur and the victim is a Government body, all professionals end up blaming the Government. Media by their nature also blames the Government and probably Mr Modi for batting for digital India.

But has any body blamed the hackers who have made it a habit to attack Indian Government assets to display their hacking skills as if it is a fair game and no adverse consequences to follow?

Just as Lutiyan media, Left liberals and UN blames Israel without condemning the Hamas attack, media only blames the Government without condemning the hackers who steal data and post it in the DarkWeb as if it is their right to do so. Crime is not a right and we need the society to understand this.

According to the report in news 18 CERT IN has roped in multiple agencies of the Government and considering the breach as a sensitive data breach involving Aadhaar and Passport data.

I hope this report is true because in the past CERT IN or MeitY has not shown the necessary concern to address such data breaches. When a Government asset is breached, CERT IN feels shy thinking that it is guilty of lack of its own inability in enforcing information security within the Government bodies and would be inclined to underplay the incident.

The tendency of the Government/CERT IN/MeitY is similar to a corporate executive who tries to delay reporting of an incident because he is shamed by a data breach in his company and unable to go to his CEO immediately and say… Sorry, I made a mistake. Instead, he tries to resolve the issue first and in the process create more damage than what was necessary.

In the ICMR Case, it is evident that the scale of data breach and the nature of personal data and the intention of making it available on the Darkweb to any enemy of the country indicate that this incident reflects an unauthorized access and a Section 66F offence under ITA 2000.

If the Government is serious, they have to put the fear of God in the hackers who attempt at hacking Indian Government websites and data bases and steal the data.

I would have loved to read in the News18 report that ICMR is filing an FIR under Section 66F against unknown hacker who has placed the data for sale and in conspiracy with others who must have assisted him. Further investigations would reveal whether it was an information security gap or there was any insider involvement or whether it had any involvement of the supply chain system.

Government/ICMR need to announce an attractive reward for any information leading to the finding of the source of the ICMR hacking and some security expert may be able to find out the identity of the person who has posted the data for sale in the dark web.

I donot think that hacking into Government data assets is different from Chinese intrusion into Ladakh or Pakistan intrusion into Kargil. The Government should not be soft to such activities and take such action which would deter them from trying such things once again.

It appears that many hackers are using Government assets as target practice for honing their hacking skills and we need to put an end to such a practice.

We often hesitate to use the available laws and this attitude needs to change.

I am stating this with my own personal experience of instances when Cyber Terrorism instances were brought to the attention of CERT In and MeitY and they failed to take it to a logical conclusion.

One was a case of Digilocker which was hacked and unauthorized access was gained to around 3 billion documents and the hacker boldly published his exploit on the web. When CERT In and Digilocker came to know if it, they did not lodge any FIR on the hacking irrespective of whether there was any vulnerability in the security or not.

Such softness create an impression that Indian enforcement system is not good enough to be feared by hackers.

Let us now wait and see if the MHA wakes up at least in the case of ICMR hacking and file a Section 66F complaint. Even in other cases, MHA should at least send notices and demand admitted hackers to show cause why a Cyber Terrorism complaint cannot be launched against them.

If MHA is watching this website as they should, they can respond with filing a Cyber Terrorism case in this instance and have a NIA-CBI investigation.


About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.