At the cost of sounding cliché, it can be reiterated that data is the new gold. To have control over a vast pool of this new-age resource is a temptation that governments can’t avoid. However, along with the prerogative of controlling and maintaining humongous amounts of people’s private data, comes the responsibility of ensuring security of the same. Once the data security around people’s personal information is not intact, they end up becoming commodities which can be traded for profit, affecting their interests, safety and decisions in numerous direct and indirect ways. This commodification of the masses is the last thing that is desired in a democratic country like India. The recent reports of purported data breach of beneficiaries registered on the CoWIN platform have ignited a new political slugfest in the country, and not without reasons. The allegations of data breach on CoWIN platform are yet to be substantiated. But if the allegations carry even a spec of truth, it shall be interpreted as a serious dereliction of duty on the part of the Indian government. The most crucial thing that needs to be focused on from here is the forensic analysis conducted under the auspices of the Indian Computer Emergency Response Team (CERT-In). Lately, the credibility and efficacy of the cyber security agency has itself come into question. Given the gravity of the leak that is being alleged, there is a need for strict monitoring of the manner in which CERT-In probes the matter. Any casualty or lapse must be avoided at all costs. One may recall that during the pandemic period, the extensive vaccination campaign in India was executed through the CoWIN application which mandated the collection of private data of individuals, including Aadhaar number, passport details, voter ID etc. Given the extensive coverage of vaccination in a populous country like India, it is difficult to imagine the severity of the alleged breach. It may also be recalled that back then experts and critics had pointed towards the lack of basic security architecture of the CoWIN platform, and opposed the government's decision to collect Aadhar and other details. Those apprehensions and reservations, however, fell on deaf ears. The collection and storage of Aadhar details were in contradiction with the Aadhar Act which doesn’t allow for storage of Aadhar details. Furthermore, the storage of the data after the purpose was served, i.e., vaccination was complete, defies all moral logic. In absence of a robust personal data security framework, there are no provisions that can deter the government and other private entities from storing people’s data beyond the fulfilment of a particular cause. Citizens in India are yet to be provided with the crucial right to seek deletion of their data in full measure. The government’s failure to come up with a robust data security framework has been disheartening. This failure is further compounded by its penchant for building vast repositories of personal data. The reckless collection of humongous public data without appropriate framework in place presents a ready recipe for disaster. All the above mentioned arguments point towards systemic loopholes and a casual approach on the part of the government. Although the occurrence, nature and extent of the reported data breach lie in the realm of uncertainty, the larger data ecosystem in India is evidently vulnerable to serious data breaches. In the case in question, the government’s response has been far from satisfactory, and raises more questions than it answers. Union Minister of State for IT, Rajeev Chandrasekhar, said it does not appear that the CoWIN app or database has been directly breached. The use of the word ‘directly’ leaves a scope for indirect breach — nobody knows in what manner! The minister is also reported to have suggested that data could have been stolen in the past from a “threat actor database”. There has clearly been a failure in coming out with a transparent, to-the-point explanation. Despite the ambiguity in its response, reflecting unavailability of appropriate information, the government discarded the reports as “mischievous” and “without any basis”. This reeks of a laxity in approach. Furthermore, without waiting for a forensic analysis report, the Ministry of Health and Family Welfare ran hashtags and claimed that adequate security measures are in place on the Co-WIN portal, with web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment etc. It is disheartening to note that at a time when private data of a vast number of Indians is at stake, the government appears more concerned about unsubstantiated image-building rhetoric. Understanding the gravity of the situation, the government must lay greater emphasis on the probe into the matter.