Hi Friends,

Even as I launch this today ( my 80th Birthday ), I realize that there is yet so much to say and do. There is just no time to look back, no time to wonder,"Will anyone read these pages?"

With regards,
Hemen Parekh
27 June 2013

Now as I approach my 90th birthday ( 27 June 2023 ) , I invite you to visit my Digital Avatar ( www.hemenparekh.ai ) – and continue chatting with me , even when I am no more here physically

Saturday, 4 November 2023

Big Daddy of Data Breach

 


 

Context :

ICMR data leak reveals personal info of 81.5 cr Indians: Report   …………… 30 Oct 2023

 

Extract :

 

In a massive data breach, details of over 81.5 crore citizens with the Indian Council of Medical Research (ICMR) are on sale on the dark web, which contains crucial information such as Aadhaar and passport details, along with names, phone numbers, and addresses, according to the reports.


Given the severity of the matter, the Central Bureau of Investigation ( CBI ) is expected to probe the incident after the ICMR files a complaint.


The data breach noticed by the US-based cybersecurity and intelligence firm Resecurity mentioned that "on October 9, a threat actor going by the alias ‘pwn0001’ posted a thread on Breach Forums brokering access to 815 million 'Indian Citizen Aadhaar and Passport' records".


Moreover, the cybersecurity analysts found one of the leaked samples containing 100,000 records of PII ( personally identifiable information) related to Indian residents.


In this sample leak, the analysts identified valid Aadhaar Card IDs, which were corroborated via a government portal that provides a "Verify Aadhaar" feature.


The analysts also managed to connect with the threat actor and learned they were willing to sell the entire Aadhaar and Indian passport dataset for $80,000 (over Rs 66 lakh).


However, the threat actor declined to specify how they obtained the data.


Last month, cybersecurity researchers found that the official website of the Ministry of AYUSH in Jharkhand had been breached, exposing over 3.2 lakh patient records on the dark web.


According to the cybersecurity company CloudSEK, the website's database, amounting to 7.3 MB, holds patient records that include PII and medical diagnoses. The compromised data also contains sensitive information about doctors, including their PII, login credentials, usernames, passwords, and phone numbers.


The data breach was initiated by a threat actor named "Tanaka".

 

 

 

My  Take :

 

ICMR is a govt funded / controlled body


Now , Rajeev Chandrasekharji has said :


Question :

The law empowers users to demand that personal data collected with their consent be corrected, updated, completed or erased. But how can this gap be addressed ?


Rajeev Chandrasekhar :

There is absolutely no differentiation in the obligation under the law for ANY ENTITY, be it private or government, as long as it’s a data fiduciary


That means, if you collect data – regardless of whether you are the government or a private entity – you will be liable to follow the law and carry out obligations that have been laid out for you as a data fiduciary

 

Question :

You had previously mentioned that the day the law comes into force, all data

 fiduciaries will be required to send notices to data principals and take

 their consent on using their personal data.

 

Do you think this will lead to CONSENT FATIGUE among users on DAY ZERO , as

 they will be flooded with notices ?

 

Rajeev Chandrasekhar :

This is as per law

Our principle is that “ consent must be taken from a data principal

We have enacted the law after consultations on certain principles. The principle here is that :

 

There should be consent of the citizen BEFORE his or her data is processed for ANY purpose by the data

platform

 

Dear Chandrasekharji ,

 

As per DPDPA -23 , ICMR is required to write to each of those 81.5 croreData Principals “ :

 

“ Hey Friend , I have your following data .

Aadhaar and passport details, along with names, phone numbers, and addresses and health data

Do you want me to keep it ? Then give your INFORMED consent

If not , reply ( to this E Mail / WhatsApp / SMS ? ), so  - and I will DELETE your personal data and inform you

 

Dear Chandrasekharji,

 

There are hundreds of Govt departments / agencies / bodies etc., which have ,

some or other data ( -although, mostly INCOMPLETE or outright OBSOLETE ) on

each and every citizen


As per DPDPA , all of these MUST write to those citizen for their INFORMED

CONSENT


Is this feasible / practical ?

 

I , once again , urge you to consider the alternative suggested in my following emails :

 SARAL ( Single  Authentic  Registration for Anywhere  Login )…. 10 Feb 2019 

 Digital Dividend from Demographic Data [ 4 D ]………… ………. ...14 Feb 2019

      Only Answer : a Statutory Warning  ………………………………………… 10 Nov 2018

 

With regards,

Hemen Parekh

www.hemenparekh.ai / 05 Nov 2023

 

 

My consultant BARD had following to say about my suggestion ( SARAL ) :

 

I have read your blog post and I agree that the Digital Personal Data Protection Act (DPDPA) has some impractical provisions. In particular, I think it is unrealistic to require all government departments and agencies to write to each citizen to obtain their informed consent to use their personal data.

I think your alternative suggestion of a Single Authentic Registration for Anywhere Login (SARAL) system is a good one.

A SARAL system would allow citizens to give their consent only once, and then that consent would be valid for all government departments and agencies.

Here is a summary of the key benefits of a SARAL system:

·         It would be more efficient and effective than requiring each government department and agency to obtain its own consent from citizens.

·         It would be more convenient for citizens, as they would only need to give their consent once.

·         It would give citizens more control over their personal data, as they would be able to choose which government departments and agencies they want to share their data with.

I think the government should seriously consider implementing a SARAL system.

It would be a significant improvement over the current system, which is impractical and inefficient.

In addition to the benefits you have mentioned, a SARAL system could also help to reduce the risk of data breaches.

By centralizing the collection and management of personal data, the government would be able to better protect it from unauthorized access and use.

I hope this is helpful!

 

No comments:

Post a Comment