News Excerpt:

The Ministry of Corporate Affairs recently fixed a critical vulnerability in its online portal months after a cybersecurity researcher reported it to India's Computer Emergency Response Team (CERT-In). 

• The vulnerability reportedly exposed personal details — like Aadhaar, PAN, voter identity, passport, date of birth, contact number and address — of more than 98 lakh directors of Indian companies. 

What is Personally Identifiable Information?

• Personally Identifiable Information (PII) is any data or information maintained by an organization or agency that can potentially be used to identify a specific individual. 
• This could include information such as Aadhaar, PAN, voter identity, passport, date of birth, contact number, communication address, and biometric information. 
• The constituents of PII vary depending on an individual’s home country. 
• However, non-PII can be used to identify an individual in tandem with additional information. 
• Non-PII information includes photographic images (especially of the face or other identifying characteristics), place of birth, religion, geographic indicators, employment information, educational qualifications, and medical records.
• While access to one set of PII may be enough to compromise online security, access to multiple databases can be used to identify and target individuals.

What is the difference between sensitive and non-sensitive PII?

• Non-sensitive PII is publicly available information and can be stored and transmitted unencrypted. 
• This includes information such as zip code, race, gender, and religion. 
• They cannot be used to identify an individual accurately.
• Sensitive PII, when exposed, can be used to identify individuals and potentially cause harm. 
• Sensitive PII is stored by employers, government organisations, banks, and other digital accounts used by individuals.

What are the risks of PII exposure?

• Cyberattacks and weaknesses in digital infrastructure can lead to the exposure of citizens’ PII. 
• Threat actors can access exposed PII and misuse it to launch targeted attacks on individuals. 
• These attacks could range from phishing attacks with messages curated with PII information to fraudulently opening bank accounts and siphoning funds from accounts allotted to beneficiaries of government welfare programmes.
• Threat actors may also use such information to obtain cellular connections and credit cards and compromise the security of an individual’s digital accounts. 
• Threat actors also sell exposed PII information on the dark web.

What are the recent events where PII was compromised?

• In 2023, reports emerged that a bot on Telegram was returning the personal data of Indian citizens who registered with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes. 
• A similar data breach was reported when an American cybersecurity company said that the PII of 815 million Indian citizens, including Aadhaar numbers and passport details, were being sold on the dark web. 
• A data breach was also reported in the RailYatri platform in January 2023.
• Additionally, a report from Resecurity (a cybersecurity company) said that 67% of Indian government and essential services organisations experienced over a 50% increase in disruptive cyberattacks. 
• Furthermore, a survey of 200 IT decision-makers noted that 45% of Indian businesses experienced more than a 50% increase in cyberattacks.

How can one protect PII?

• Individuals may not be able to prevent leaks in databases of government organisations or service providers. 
  • However, they can take steps to ensure that their PII is not readily available to threat actors.
• Look for HTTPS in URLs when visiting unknown websites. The “S” stands for secure and is used by legitimate websites to secure collected information from unsecured connections. 
  • Some browsers may use a lock symbol in the URL bar to signify a secure website.
• Use a VPN when accessing sensitive information using public networks. 
  • A VPN helps protect PII and other vital data by securing your online connection from prying eyes on public networks.
• Keep a tab on your PII like Aadhaar, passport, PAN, Voter ID, and other important identity proofs. 

• Avoid sharing or accessing images or details of identity documents through unknown devices.
• If you access them at a photocopy shop or devices owned by others, make sure to delete the documents, even from recycle bins, to ensure they are not misused.
• Avoid sharing personal information on social media platforms.
• If your PII is leaked, look for phishing attacks that may use leaked information to convince you they are legitimate.
• Keep a tab on your bank account transactions, credit cards, and credit score; a hit in the score could mean your PII has been misused to procure credit cards in your name.

Provisions related to Data security in India:

• Digital Personal Data Protection Act 2023 (DPDPA):

• • It aims to empower citizens with the right to know and hold authority over their data. 
  • It limits corporate and government surveillance and citizen profiling possibilities with exceptions built in for national security and interests.

• Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

• It is a basic framework for regulating sensitive personal data.
• These rules are limited primarily to the collection, possession, storage, handling, retention, transfer, and disclosure of sensitive personal data by corporations by introducing a consent requirement for all such activities. 
• The law prescribes certain “security practices and procedures” for handling sensitive data.
• Justice B. N. Srikrishna Committee:
• In 2017, the central government established a Committee of Experts on Data Protection, which Justice B. N. Srikrishna led. 
• The primary objective of this committee was to investigate and analyse matters pertaining to data protection within the country.
• Digital India Bill 2023 (DIA): 
• It represents a significant step towards establishing a future-ready legal framework for the country’s burgeoning digital ecosystem. 
• This move by the Ministry of Electronics and Information Technology (MEITY) signals a proactive approach to regulating and shaping the nation's digital future.
• It is poised to replace the two-decade-old Information Technology Act of 2000 (IT Act). 
• It is designed to address the challenges and opportunities presented by the dramatic growth of the internet and emerging technologies.