New Delhi: As many as 47 incidents of data leak and 142 incidents of data breach have been reported during the last five calendar years, the Ministry of Electronics and Information Technology (MeitY) submitted in the Lok Sabha recently.
The information was provided by Union minister Rajeev Chandrasekhar in response to a question from Congress MP Pradyut Bordoloi, who had asked about the cases of reported leaks and breaches of user data during the past five years.
Bordoloi had also asked for the details of data hacked from the RailYatri app, which is authorised by the Indian Railway Catering and Tourism Corporation (IRCTC), and of the government websites from which data had got leaked.
The minister replied that “with the expansion of the Internet, more and more Indians coming online and increase in the volume of data generated, stored and processed, instances of data breaches have also grown.” He said as per information reported to and tracked by the Indian Computer Emergency Response Team (CERT-In), there were 47 incidents of data leak and 142 data breaches over the past five years.
As for the hacking of the RailYatri app, he stated that “as per information provided by IRCTC upon receipt of information from CERT-In in December 2022 regarding leakage of data, acquired and maintained by RailYatri app, the ticket-booking facility on RailYatri app was stopped, penalty was imposed on the company which is the custodian of the RailYatri app, and the app was restored after taking necessary security measures.”
Furthermore, the minister said, “as per the information reported to and tracked by CERT-In, a total of 10, 5 and 7 incidents of data leak related to government organisations were reported for the years 2020, 2021 and 2022 respectively.” On observing data leak incidents, he submitted, CERT-In notifies the affected organisations along with remedial actions to be taken and coordinates incident response measures with affected organisations, service providers, respective sector regulators and law enforcement agencies.
The minister also spelt out how the government has acted on various fronts to “enhance the cybersecurity posture and thereby secure data against leak and breach, Government has acted on several fronts.”
In this regard, he said, several steps have been taken. As per these, “CERT-In, in April 2022, issued directions under section 70B for mandatory reporting of cyber incidents to CERT-In within six hours of such incidents being noticed or being brought to notice.” Thereafter, in December 2022, it also issued a special advisory on best practices to enhance the resilience of health sector entities, and urged the Ministry of Health and Family Welfare to disseminate the same to all authorised medical care entities and service providers in the country.
The reply also stated that a Cyber Crisis Management Plan was formulated by CERT-In for implementation by all ministries and departments of the Union and state governments and their organisations and critical sectors to counter cyber-attacks and cyber-terrorism.
Also, it said CERT-In now conducts regular training programmes for network and system administrators and Chief Information Security Officers of government and critical sector organisations regarding securing information technology infrastructure and mitigating cyber-attacks. To this end, a total of 42 training programmes were conducted, covering 11,486 participants, during the years 2021 and 2022.
The reply added that CERT-In has empanelled 150 security auditing organisations to support and audit implementation of Information Security Best Practices and it issues alerts and advisories on latest cyber threats/vulnerabilities and countermeasures to protect computers and networks on an ongoing basis.
‘Long way to go’
Reacting to the minister’s reply, the Internet Freedom Foundation which “keeps a track of Indian citizen’s digital rights in the Parliament” tweeted that it appreciates the steps being taken by the Ministry and CERT-In “to prevent data breaches” but added that “the country has a long way to go before building its cyber resilience.”
The group also shared its recommendations on preventing data breaches and providing redressal against them which it had shared with MeitY. It said these recommendations were made “considering the possible violation of law by data fiduciaries in whose custody data was breached and the lacunae in the existing legal regime”.
The recommendations, among other things, had urged the government to “direct investigation into the conduct of data fiduciaries, including those mentioned below, that have faced data breaches in the past two years; mandate data fiduciaries to notify users in case they experience a data breach”; and “ensure that the Indian Citizens who have been impacted by data breaches are provided adequate compensation.”