The breach comes at a time when Tamil Nadu is looking to collect more data on its residents in the absence of a data protection law.
A leak from the Tamil Nadu Civil Supplies and Consumer Protection Department has led to the Aadhaar details and other personal information of nearly 50 lakh people going on sale on a hacker forum, The Week reported. News of the leak was disclosed to the publication by Technisanct, a cybersecurity startup. The leak reportedly includes addresses, mobile numbers, Aadhaar numbers, and family information of 49,19,668 residents. That number represents a small share of the 6.76 crore people whose Aadhaar details have been registered by the Department, according to a dashboard on their website.
We have reached out to the department’s Joint Commissioner, who has been designated as the organisation’s Chief Data Officer, for comment. Upon calling, the JC’s office referred us to the state secretariat, saying that all media queries are handled centrally. We have sent an emailed query to the Tamil Nadu Secretariat and to the Joint Commissioner.
Breach of cybersecurity
At first blush, this breach is indicative of shoddy data security and management practices. The Civil Supplies Department, which issues ration cards and administers Tamil Nadu’s Public Distribution System for subsidised food, is likely the department with the richest datasets on families in the state. When applying for a “smart card,” an Aadhaar number is more or less mandatory. If the data leak only represents a portion of the details in possession of the hacker, reportedly with a username indicating that they are Vietnamese, then the scale of the breach is likely unfathomably damaging.
This reported breach comes even as Tamil Nadu attempts to create a cross-departmental database of the state’s residents, something that would likely increase the amount of data being collected on the state’s citizens, while also increasing the number of departments and officials who have access to that information. The state is also working on integrating its crime tracking tech stack by incorporating data from vehicle registrations, property ownership details, and tax records.
There is no data protection law in India yet that governs how this data is to be collected and protected. The state has a Cyber Security policy that envisions the creation of a state Computer Emergency Response Team, along the lines of the one that exists at the national level. CERT-TN does not appear to have been formally established with full-time employees, with existing bureaucrats and officers from other departments currently serving in leadership positions. The policy also suggests that each department appoint a Chief Information Security Officer, a process that has not yet been completed.
- Summary: Tamil Nadu Cybersecurity Policy 2020
- Tamil Nadu’s All-In-One Database For E-Governance: State Family Database
- Tamil Nadu To Upgrade Criminal Tracking Architecture, Integrate With External Databases Like Facial Recognition System