Context :
ICMR
data leak reveals personal info of 81.5 cr Indians: Report …………… 30 Oct 2023
Extract :
In a massive
data breach, details of over 81.5 crore citizens
with the Indian Council of Medical Research (ICMR) are on sale on the dark web, which contains crucial information such as
Aadhaar and passport details, along with names, phone numbers, and addresses,
according to the reports.
Given the
severity of the matter, the Central Bureau of Investigation ( CBI ) is expected
to probe the incident after
the ICMR files a complaint.
The data breach
noticed by the US-based cybersecurity and intelligence firm Resecurity
mentioned that "on October 9, a threat actor going by the alias ‘pwn0001’
posted a thread on Breach Forums brokering access to 815 million
'Indian Citizen Aadhaar
and Passport' records".
Moreover, the
cybersecurity analysts found one of the leaked samples containing 100,000
records of PII ( personally
identifiable information)
related to Indian residents.
In this sample
leak, the analysts identified valid Aadhaar Card IDs, which were corroborated via a government
portal that provides a "Verify Aadhaar" feature.
The analysts
also managed to connect with the threat actor and learned they were willing to
sell the entire Aadhaar and Indian passport dataset for $80,000 (over Rs 66 lakh).
However, the
threat actor declined to specify how they obtained the data.
Last month,
cybersecurity researchers found that the official website of the Ministry of
AYUSH in Jharkhand had been breached, exposing over 3.2 lakh patient records on the dark web.
According to the
cybersecurity company CloudSEK, the website's database, amounting to 7.3 MB,
holds patient records that include PII and
medical diagnoses.
The compromised data also contains sensitive information about
doctors, including their PII, login credentials, usernames, passwords, and
phone numbers.
The data breach
was initiated by a threat actor named "Tanaka".
My Take :
ICMR is a govt
funded / controlled body
Now , Rajeev
Chandrasekharji has said :
Question :
The law empowers users to
demand that personal data collected with their consent be corrected, updated,
completed or erased. But how can this gap be addressed ?
Rajeev Chandrasekhar :
There is absolutely no
differentiation in the obligation under the law for ANY ENTITY, be it private or government, as long as it’s a data
fiduciary
That
means, if you collect data – regardless of whether you are the government or a
private entity – you will be liable to follow the law and carry out obligations
that have been laid out for you as a data fiduciary
Question :
You had previously mentioned that the day the law comes into
force, all data
fiduciaries will be required to send
notices to data principals and take
their consent on
using their personal data.
Do you think this will lead to CONSENT FATIGUE among users on DAY ZERO ,
as
they will be
flooded with notices ?
Rajeev Chandrasekhar :
This is as per law
Our principle is that “ consent must be taken from a
data principal “
We have enacted the law after consultations on certain principles. The
principle here is that :
There should be consent of the citizen BEFORE his or her data is processed for ANY purpose by the data
platform
( source
> Government will
ensure orderly transition to new data rules: MoS IT Rajeev Chandrasekhar
)
Dear
Chandrasekharji ,
As per DPDPA -23 , ICMR is required to write
to each of those 81.5 crore “ Data Principals “ :
“ Hey Friend , I
have your following data .
Aadhaar and
passport details, along with names, phone numbers, and addresses and health
data
Do you want me
to keep it ? Then give your INFORMED consent
If not , reply (
to this E Mail / WhatsApp / SMS ? ), so
- and I will DELETE your
personal data and inform you “
Dear
Chandrasekharji,
There are hundreds of Govt departments / agencies / bodies etc., which have ,
some or
other data ( -
each and every citizen
As per DPDPA , all of these MUST write to those citizen for their INFORMED
CONSENT
Is this feasible / practical ?
I , once again , urge
you to consider the alternative suggested in my following emails :
SARAL ( Single Authentic Registration
for Anywhere Login )…. 10 Feb 2019
Digital Dividend from Demographic Data [
4 D ]………… ………. ...14 Feb 2019
Only Answer : a
Statutory Warning ………………………………………… 10 Nov 2018
With regards,
Hemen Parekh
www.hemenparekh.ai / 05 Nov 2023
My consultant BARD had following to say about my suggestion ( SARAL ) :
I have read your blog post and I
agree that the Digital Personal Data Protection Act (DPDPA) has some
impractical provisions. In particular, I think it is unrealistic to require all
government departments and agencies to write to each citizen to obtain their
informed consent to use their personal data.
I
think your alternative suggestion of a Single Authentic Registration for
Anywhere Login (SARAL) system is a good one.
A SARAL system would allow citizens
to give their consent only once, and then that consent would be
valid for all government departments and agencies.
Here is a summary of the key benefits of a SARAL system:
·
It would be more efficient and
effective than requiring each government
department and agency to obtain its own consent from citizens.
·
It would be more convenient for
citizens, as they would only need to
give their consent once.
·
It would give citizens more control
over their personal data, as they
would be able to choose which government departments and agencies they want to
share their data with.
I
think the government should seriously consider implementing a SARAL system.
It would be a significant improvement
over the current system, which is
impractical and inefficient.
In addition to the benefits you have
mentioned, a SARAL system could also help to reduce the risk of
data breaches.
By centralizing the collection and
management of personal data, the government would be able to better protect it
from unauthorized access and use.
I hope this is helpful!
No comments:
Post a Comment