CarpeDiem IAS • CarpeDiem IAS • CarpeDiem IAS •

CERT-In Fixes AIIMS Organ Donor Data Leak

28 Jul 2025 GS 3 Science & Technology
CERT-In Fixes AIIMS Organ Donor Data Leak Click to view full image

Context

  • A critical data vulnerability was discovered in the Organ Retrieval Banking Organisation (ORBO) website of AIIMS, New Delhi.

  • It exposed personal and medical data of thousands of voluntary organ and tissue donors across India.

CERT-In's Role in the Incident

  • CERT-In (Indian Computer Emergency Response Team) is the national nodal agency for cybersecurity incidents.

About ORBO (AIIMS)

  • ORBO is the central coordinating body at AIIMS for cadaver organ and tissue donation.

  • It manages donor registration, public awareness, and transplantation protocols.

CERT-In: 

  • Establishedformed in 2004 under Section 70B of the IT Act, 2000.

  • Ministry: Electronics and Information Technology (MeitY).

  • Vision: Safe and secure Indian cyberspace.

  • Mission: Strengthen communication and IT infrastructure security through proactive actions and cooperation.

Key Functions of CERT-In

  • Issue security alerts, guidelines, and advisories.

  • CERT-In operates 24x7 incident response Help Desk for providing timely response to reported cyber security incidents. 

  • CERT-In provides Incident Prevention and Response services as well as Security Quality Management Services.

  • Provide technical assistance to mitigate cyberattacks.

  • Collaborate with national and international cybersecurity agencies.

  • Host awareness campaigns and exercises:

    • Cyber Swachhta Kendra (2017) – Malware and botnet cleaning service.

    • Exercise Synergy (2022) – Global ransomware resilience exercise with 13 countries.

CERT-In Guidelines for Cybersecurity (April 2022)

Background

  • Issued by: CERT-In (Computer Emergency Response Team - India)

  • Legal Basis: Section 70B(6) of the Information Technology Act, 2000

  • Objective: Strengthen India’s cybersecurity under the Safe & Trusted Internet initiative.

  • CERT-In's guidelines on cyber security primarily apply to service providers, intermediaries, data centers, body corporates, and government organizations

Key Provisions

1. Time Synchronization

  • All stakeholders must synchronize their system clocks with:

    • NIC’s NTP server or

    • National Physical Laboratory (NPL)

    • Or any server traceable to the above

2.Mandatory Incident Reporting (within 6 hours)

  • Reportable by:

    • Service Providers, Intermediaries, Data Centres, Government Bodies, Corporates

  • Report to CERT-In via:

    • Email, phone, or fax

  • Must report within 6 hours of:

    • Noticing or being informed of an incident

3. Single Point of Contact (POC)

  • Entities must designate one POC to interface with CERT-In.

  • POC must:

    • Provide information

    • Act on CERT-In directives

    • Submit info in prescribed formats

4. Log Retention for 180 Days

  • Maintain logs of ICT systems securely for:180 days

  • Logs must be stored within Indian jurisdiction

5.KYC & Financial Data Retention

  • Applies to:

    • Virtual Asset Service Providers (VASPs)

    • Virtual Asset Exchanges & Custodian Wallets

  • Must maintain:

    • KYC records

    • Financial transaction records

    • For a period of 5 years




← Back to list