Software Freedom Law Centre, India (SFLC.in) wrote to CERT-in regarding the data breaches of Star Health and Allied Insurance, and DotPe. SFLC.in urges CERT-In to conduct an urgent investigation into these cases.
The leaked personal data of over 31 million users raises grave concerns about the security of personal and sensitive information. Leaks can result in financial losses, identity theft, and susceptibility to fraudulent activities.
The harms emanating from data breaches are exacerbated by the fact that the rules under the Digital Personal Data Protection Act, 2023, have not been framed and notified yet.
Read the full letter below:
To, 11th October, 2024
Dr. Sanjay Bahl,
Director General,
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India, Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi, India- 110003
Sub: Urgent investigation into the Star Health and Allied Insurance Data Breach and the DotPE Data Breach
Respected Sir,
This is with respect to a recent spate of data breaches that have occurred in India. Multiple reports have been circulating since September 21st 2024 that one of the biggest health insurance providers in India, Star Health and Allied Insurance, was impacted by a major data breach. The data of more than 31 million customers has been exposed. This data includes highly sensitive personal information including names, phone numbers, residences, tax information, ID copies, test results, and diagnoses, in a 7.24 terabytes leak. DotPE, a platform that provides digital solutions to restaurants left its API endpoints vulnerable, which further resulted in the exposure of sensitive information of both restaurants as well as customers.
In the instance of Star Health and Allied Insurance, personal information, as defined under Section 2(t) of the Digital Personal Data Protection Act, 2023 has been exposed. Medical information particularly has been defined as sensitive personal information under Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. It is highly problematic that sensitive medical information has been leaked, as it exposes customers to potential frauds by bad actors in the health sector such as predatory insurance agencies and laboratories. Medical information is confidential, and must be afforded higher protection and held to a higher standard of accountability. A data breach of medical information must be addressed with urgency, as there is a high potential for misuse of medical data.
If the personal data of 31 million users has indeed been leaked, this would raise grave concerns about the security of personal information, since leaks of personal information can result in financial losses and susceptibility to fraudulent activities. With 31 million people estimated to have been impacted, the consequences can be severe, ranging from identity theft and impersonation, to emotional distress with long-term fears of misuse of their personal information. India has in the recent past been the subject of several large-scale data breaches. In October 2023, the Aadhaar data of around 81 crore citizens was allegedly leaked, and in July 2023, the alleged CoWIN data breach also resulted in the exposure of sensitive personal information. As per a report by data leak detection company Surfshark, India is currently one of six countries with the most data breaches in the world. The fundamental right to privacy, guaranteed under Article 21 of the Constitution continues to be violated by such instances, and it is pertinent to address and secure personal data of citizens with urgency. The harms emanating from data breaches are exacerbated by the fact that the Rules under the Digital Personal Data Protection Act, 2023 have not been framed and notified yet. Until the Rules and the Act are notified, India effectively does not have a data protection regime to address such harms.
Section 70B of the Information Technology Act empowers CERT-in to conduct security audits and respond to data breaches. Rule 8 of the CERT-in Rules requires CERT-in to respond to cyber security incidents. Rule 9 requires an analysis of such incidents. In light of the gravity and severity of this incident, and under the powers granted to it, we urge CERT-in to investigate such data breaches immediately.
SFLC.in has been working extensively on promoting and protecting the digital rights of Indian citizens since 2010 and would be happy to engage further on this important issue.
Thanking you,
Prasanth Sugathan,
Legal Director,
SFLC.in
