The Department of Electronics and Information Technology said recent credentials leaks from Domino’s, BigBasket and Air India had no impact on the email system used by government officials. At least one of these breaches – BigBasket’s – reportedly involves password data, raising concerns that among the millions of password hashes that have been leaked, some government officials’ credentials could leave their official email accounts vulnerable. The government said in a statement Sunday on which this concern was not valid:
With this in mind, it is important to clarify that, firstly, there was no cyber break into the Government of India’s email system managed by the National Informatics Center (NIC). The email system is completely secure.
Second, cybersecurity breaches on external portals must not affect users of the government email service. unless the government users have registered on these portals with their government email address and used the same password as the one used in the government email account. – MEITY declaration
Password reuse is widespread, so even MEITY’s refusal seems to admit that some email accounts that use the same password in all services could be affected. However, the ministry added that government email accounts are required to change their passwords every three months, which could significantly reduce the risk. However, it is unclear if the 90 day password change is required or if it is just a permanent notification that users can ignore. In the latter case, the risk can be increased.
The National Computer Science Center, which operates government email addresses, was reportedly hit by a hacker last September. The print reported at the time that hundreds of computers were affected. Last weekend, although the Delhi police asserts to the publication that only one computer was affected and the attackers were identified, none were named.
In addition to bringing attackers to justice, the government’s ability to limit violations and their effects elsewhere is limited in the absence of a data protection law. After apparently speaking wrongly and asserting that the Joint Parliamentary Committee on the Personal Data Protection Act presented its report, IT Minister Ravi Shankar Prasad said on twitter that the report has yet to be submitted and that he is looking forward to the early passage of the law. The Hindustan times reported that there will likely be significant differences between the original bill and the draft report presented by the committee.