The National Informatics Centre (NIC), the central network for e-governance of the Indian government, was hacked in June and it has come to light that fake digital certificates were issued without being detected for days.
According to The Hindustan Times, a major security breach occurred at the NIC, which is linked to all the ministries and departments of the central government and of the state governments, when it was hacked on 25 June, giving hackers full access to all the sensitive data in its directory.
Since NIC is an authorizing entity for issuing digital certificates for safe internet transactions, a huge question mark hangs over the entire ambit of safe net practices in India, as the hackers were able to issue fake digital certificates for days before the breach was detected.
Digital certificates enable authentication of users and ensure safe transactions in terms of emails, payments and other sensitive data. The fact that fake certificates were issued by the entity entails a serious compromise of sensitive data such as passwords, names and personal data of users. Also, since the cyber crime went undetected for days, it also posed risk of big financial frauds.
What adds further embarrassment to NIC is that while it failed to detect the breach, the incident was brought to notice by IT bigwigs such as Google and Microsoft, as a significant portion of web traffic passes through those search engines and browsers.
The organization also tried to underplay the incident, claiming that four fake certificates were issued, which was refuted by Google that reportedly found a fifth fake certificate.
Authorities claim that the hackers are based somewhere outside India. "Our site was attacked from outside India. The auditors have investigated between July 4 and 7 and urgent steps have been taken to mitigate the vulnerabilities," Ajay Kumar, director general of NIC, told HT.
While NIC investigated the breach, it has been unwilling to share the report with the IT companies who were first to raise the alarm, much to their dismay.
Microsoft shot a strongly-worded letter to the organization, stating that they were "disappointed" with NIC's non-cooperation and that the issue "raises serious concerns about (India's) trustworthiness".
"We have been disappointed with your organisation's reluctance to share with us the investigation report," Matt Thomlinson, vice president for security services at Microsoft said in his letter addressed to the controller of certifying authorities TA Khan and secretary in the department of technology RS Sharma, on 25 July.
"The current situation presents risk to customers and business around the world ... (and) the network based attacker can tamper with audit logs and erase evidence of certificates being issued," he said, adding that the breach had raised "very serious concerns about the trustworthiness of India's entire security certification system".
At present, Google and Microsoft are unwilling to accept NIC's certificates and have also declared several 'NIC certified' government websites unsafe.
