The Indian government has outright denied a report that data breaches in organisations like Air India, Big Basket and Domino’s have exposed the email accounts and passwords of National Informatics Centre (NIC) emails to the hackers.
“There has been no cyber breach into the email system of the Government of India maintained by the National Informatics Centre (NIC). The email system is totally safe and secure,” the government said in a press release.
It added that “cyber security breach on external portals may not impact the users of Government Email Service, unless the Government users have registered on these portals using their Government Email Address and have used the same password as the one used in the Government Email Account.”
“Adversaries” sending malicious mails to govt officials
Earlier, a report in The Hindu, quoted a government internal document as saying: “compromised emails on government domains such as @nic.in and @gov.in are potential cyber threats as they are being used by “adversaries” to send malicious mails to all government users.”
The government alert note had reportedly said: “It is intimated that recent data breaches of Air India and other companies like Domino’s, Big Basket etc. have resulted in exposure of e-mail ID and passwords of many users, which includes lots of government email IDs as well. All such compromised gov. domain emails are potential cyber threats as they are being used by the adversaries to send out malicious emails to all government email users. It may please be noted that largely these are name-based email IDs which are available with the malicious actors.”
The government alert warned that the hackers were planning to target government officials using a variety of methods, including phishing, in which attackers send e-mails to officials instructing them to click on a specific file or weblink and obtain permission. Several government officials, including defence ministry officials, were also reportedly sent a malicious link through WhatsApp and SMS, asking them to update their Covid-19 vaccination status.
“NIC system has put in place several security measures”
As per a tweet from independent internet security researcher Rajshekhar Rajaharia, “Hackers r sending malicious emails to government officials. They Created a website Covid19India[.]in (Now Suspended), similar to government site. This website was accepting only govt emails to get the official’s password. Website was hosted in Pakistan.”
The government, for its part, clarified: “NIC Email system has put in place several security measures such as two factor authentication and change of password in 90 days. Further, any change of password in NIC Email requires mobile OTP and if the mobile OTP is incorrect then change of password will not be possible. Any attempt of phishing using NIC Email can be mitigated by NIC. NIC also undertakes user awareness drives from time to time and keeps updating the users about potential risks and safety protocols.”
Interestingly, the government denial, while being categorical that there was no breach at NIC, is kind of mum on whether it sent out an alert note to its officials.
It may be recalled that February last, Air India had a breach that affected around 45 lakh “data subjects” in the world. In April, personal data of over 2 crore customers of Big Basket was put up for sale on the dark web. In May, data of 18 crore orders of Domino’s India became public and hackers created a search engine on the dark web.