The Ministry of Electronics and Information Technology said that recent credential leaks from Domino’s, BigBasket and Air India didn’t impact the email system used by government employees. At least one of those breaches — BigBasket’s — reportedly includes password data, raising concerns that among the millions of password hashes leaked some government employees’ credentials might leave their official email accounts vulnerable. The government said in a statement Sunday that this concern wasn’t valid:
In view of this it is important to clarify that firstly, there has been no cyber breach into the email system of the Government of India maintained by the National Informatics Centre (NIC). The email system is totally safe and secure.
Secondly, cyber security breach on external portals may not impact the users of Government Email Service, unless the Government users have registered on these portals using their Government Email Address and have used the same password as the one used in the Government Email Account. — MEITY Statement
Password reuse is very common, so even MEITY’s denial appears to concede that some email accounts that use the same password across services might be impacted. However, the Ministry added that government email accounts are required to change their passwords every three months, which might reduce the risk substantially; it is unclear, though, if the 90-day password change is a requirement or if it is simply a persistent notification that users can choose to ignore. In the latter case, the risk may well be more elevated.
The National Informatics Centre, which operates government email addresses, was reportedly hit with a hack last September. The Print reported at that time that hundreds of computers were impacted. Over the past weekend, though Delhi Police claimed to the publication that only one computer was affected and that the attackers had been identified, none were named.
Besides holding attackers accountable, the government’s options to limit breaches and their impact elsewhere are limited in the absence of a Data Protection Bill. After seeming to misspeak and claiming that the joint parliamentary committee on the Personal Data Protection Bill had submitted its report, IT Minister Ravi Shankar Prasad said on Twitter that the report was yet to be submitted and that he looked forward to the law getting legislated soon. The Hindustan Times reported that there are likely to be significant differences between the original bill and the draft report that the committee has come up with.
Also read
