Why Is No One Ever Penalised for Data Breaches in India?

/in


Indian software service companies are some of the most profitable entities in the world. They provide technology solutions that power Fortune 500 companies and governments across the world, but is their code always secure?

The answer is never a simple binary response but more complex in the real world. The online website of Wired has reported a large-scale breach of millions of students and teachers’ private information through the Digital Infrastructure for Knowledge Sharing app (DIKSHA) app of the government of India.

This is not the first time data breaches have been reported at this scale and this won’t be the last either, but will this change even with the Digital Personal Data Protection law in place?

Wired and the researchers who discovered the security flaw with the DIKSHA app, tried to report it to the Ministry of Education and received no response. They were only able to get the issue fixed when they contacted the organisation that built DIKSHA – EkStep, a foundation co-founded by IT billionaire Nandan Nilekani.

Deepika Mogilishetty, the chief of policy and partnerships at EkStep, told Wired that while EkStep does support the development of DIKSHA, the responsibility of data and its security lies with the Union Ministry of Education.

This is not the first time that organisations linked directly to Nandan Nilekani are involved in data breaches, with their direct involvement in Aadhaar and security issues around its design. It is Nilekani’s organisations that have successfully lobbied how the government of India should be building and collecting Indians’ personal data, as designed in his TAG-UP report

Ideally when the security researcher reached out to the DIKSHA team, the Union education ministry should have alerted CERT-IN (the Indian Computer Emergency Response Team) and the flaw should have been fixed. CERT-IN is also ideally required to do a forensics analysis and determine whether the security flaws have been exploited by anyone. But unfortunately it takes more than having a privacy policy to actually follow it and secure information of people, especially when they are children.

CERT-IN, like the Ministry of Education, has been ignoring its…

Source…