The Indian government’s IT infrastructure and domain service provider National Informatics Centre (NIC) has denied any data breach on its systems, according to a press release published on 13 June.
The NIC, which is set up under the Ministry of Electronics and Information Technology (Meity) issued the clarification on June 13 after a report by The Hindu claimed that hundreds of emails addresses belonging to union government officials were breached.
The report pointed out that due to recent data breaches of companies such as Air India, Domino’s, and BigBasket, IDs of several government officials’ were also exposed.
The compromised email addresses belong to domains ID including @nic.in, @gov.in, The newspaper cited an alleged internal communication accessed by it. The report pointed out that days after the communication was sent to officials on June 10, several government officials including those from the Defence Ministry were targeted with malicious links.
However, the NIC has now put out a statement claiming that no such breaches took place on its systems.
“A media story on the impact of data breaches in organisations such as Air India, Big Basket and Domino’s has claimed that these breaches have exposed email accounts and passwords of NIC emails to the hackers. In view of this, it is important to clarify that firstly, there has been no cyber breach into the email system of the Government of India maintained by the National Informatics Centre (NIC). The email system is totally safe and secure,” the press release said.
The government statement further pointed out that cybersecurity breaches on external portals may not impact the users of government-run email services, unless the government users have registered on these portals using their work email IDs.
NIC email system has put in place several security measures such as two factor authentication and change of password in 90 days. In addition, any change of password in NIC email ID requires mobile OTP, the government statement added.
Inc42 had earlier pointed out that due to a global pandemic sweeping through the world, Indian companies have become more vulnerable to cyberattacks and data breaches and many of the top tech startups have fallen victims.
Recently a slew of data breaches uncovered in India’s startup ecosystem has set alarm bells ringing among regulators and government agencies. Like Mobikwik in March 2021 — around 100 Mn users are said to be affected in the data breach, prompting public outcry and hints of regulatory intervention from the RBI. However, what surprised most observers was the staunch denial of responsibility from the fintech firm.
Given that India lacks a comprehensive data protection act, which has been stuck in limbo for more than three years, Mobikwik and others before it have been able to deny responsibility and skip any legal repercussions. In the last five years alone, more than two dozen consumer tech startups have either directly or indirectly been responsible for exposing personal and non-personal data of billions of customers cumulatively.
Startups in hyperlocal delivery, fintech, edtech, mobility, and content streaming were the worst affected. And we are not even covering the likes of Twitter and Facebook, which have also been impacted on several occasions, or indeed the more than a dozen cases of Aadhaar-related data leaks.