A parliamentary standing committee has expressed serious concerns over security vulnerabilities in the Indian Council of Medical Research (ICMR) system, as highlighted by the Indian Computer Emergency Response Team (Cert-In). The committee’s latest report, tabled on Tuesday, underscores the need for stringent security measures and transparency regarding the protection of sensitive data.
According to the report, Cert-In identified multiple security gaps in ICMR’s system, including weak application design and insufficient security controls. The investigation was triggered after threat intelligence reports in October 2023 suggested that personal data from ICMR was being sold online. In its Action Taken Notes submitted on January 7, the Ministry of Electronics and Information Technology (MeitY) acknowledged these findings, revealing that security measures needed to be significantly enhanced to prevent such breaches.
The committee has now sought a comprehensive response regarding the steps taken to address these security flaws. It has requested detailed information on the analysis report shared with law enforcement agencies, the extent to which these vulnerabilities have been mitigated, and whether there has been a reduction in the number of data breaches since the implementation of corrective measures.
Cert-In had earlier advised ICMR to establish a robust and documented security policy, adopt a risk-based security approach, conduct regular risk assessments, ensure security-by-design principles in application development, and perform a thorough security audit of the entire ICMR ecosystem. The parliamentary committee now wants to ascertain if these recommendations have been effectively implemented and whether they have led to tangible improvements in cybersecurity.
In addition to ICMR’s security concerns, the committee is also keen to understand the security protocols adopted by MeitY to safeguard digital data across various government platforms. It has emphasized the need for foolproof security measures throughout the entire data lifecycle and has sought details on monitoring and enforcement strategies.
The report also touched upon the growing instances of fraud related to the Aadhaar-enabled Payment System (AePS). The committee has requested updates from Cert-In, the Unique Identification Authority of India (UIDAI), and acquirer banks on the preventive measures they have taken and the challenges they face in tackling financial frauds. It is particularly interested in the collaboration between Aadhaar and the National Payments Corporation of India (NPCI) in curbing such fraudulent activities.
In its Action Taken Notes, MeitY had informed the committee that more than 250 Android and banking-related malware apps, often sideloaded outside official app stores, had been blocked at the recommendation of the Indian Cyber Crime Coordination Centre (I4C). Additionally, over 130 suspicious loan apps had been suspended for violating Google’s policies. The committee now seeks clarity on whether such critical information is shared exclusively with major technology companies like Google or if it is also disseminated to local search engines and digital connectivity agencies working in rural India.
Furthermore, I4C has recommended that the Reserve Bank of India (RBI) whitelist all mobile apps offering instant loans while identifying and eliminating inactive, defunct, and non-compliant non-banking financial companies (NBFCs) often exploited for cyber fraud. The parliamentary panel has now demanded updates on the actions taken by RBI and law enforcement agencies under the Ministry of Home Affairs (MHA) to crack down on fraudulent lending apps and unregistered entities involved in financial scams.
As concerns over data security and digital fraud grow, the committee’s report highlights the urgent need for government agencies to implement stringent cybersecurity measures. The panel’s inquiries signal a push for greater accountability and transparency in handling sensitive data, reinforcing the importance of robust security protocols to protect citizens from cyber threats.
