CoWIN data ‘leak’: Why the govt statement raises more questions than it answers

The Centre’s defence

The Ministry of Health press release first lays out the three ways in which data on CoWIN can be accessed: 1) a user can access their data on the portal through a one time password (OTP) sent to their mobile number, 2) a vaccinator can access data of a person, and the CoWIN system tracks and records each time an “authorised” user accesses the system, and 3) third party applications that have been provided authorised access of CoWIN APIs can access personal level data of vaccinated people after OTP authentication.

Then it claims that without an OTP, data can not be shared with the Telegram bot. Some reports said that the bot also showed people’s date of birth, but the Ministry said that CoWIN only collects their year of birth and that there is no provision to capture a person’s address on CoWIN.

𝗖𝗢𝗪𝗜𝗡 𝗗𝗮𝘁𝗮 𝗕𝗿𝗲𝗮𝗰𝗵 #CoWIN portal of Health Ministry @MoHFW_INDIA is Completely Safe with safeguards for Data Privacy.

Adequate Security Measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment,…

— Ministry of Health (@MoHFW_INDIA) June 12, 2023

It also said that there is one API that has a feature of sharing the data by using just a mobile number. “However, even this API is very specific and the requests are only accepted from a trusted API which has been whitelisted by the CoWIN application”.

Chandrasekhar, in a tweet, said the CERT-In had reviewed the alleged breach, and the data being accessed by the Telegram bot was from a “threat actor database”. He said that the database “seems to have been populated with previously breached data”, which was not related to CoWIN. “It does not appear that the CoWIN app or database has been directly breached,” Chandrasekhar added.

But was there a breach?

The Ministry has not explicitly clarified whether or not the CoWIN database was breached recently or in the past.

Its entire explanation hinges on the fact that the only way to access CoWIN’s system is either through an OTP or through a vaccinator whose access is logged. While the Ministry said that it has adequate security measures to protect CoWIN’s database, at no point has it said the database itself has not been impacted. This only leaves the possibility that the Telegram bot was not scraping data from CoWIN in real time.

The Ministry’s statement also does not offer any insight against the assertions that the Telegram bot was able to accurately retrieve citizens’ data linked to a particular phone number, and why the details offered by the bot were specific to the CoWIN database, including place of vaccination, ID used etc.

Then, the Ministry has admitted that there is at least one API for which an OTP is not a necessity for data sharing. While this API only accepts requests from a “trusted API” that has been “whitelisted” by the CoWIN system, there is no clarity on what this trusted API does and why it has been afforded the privilege of bypassing the entire OTP mechanism.

Besides, the Ministry is yet to receive a final report on the incident from CERT-In on the issue. As such, it would be premature to disprove a breach until CERT-In explicitly states that in its report.

If one were to go by the government’s second reasoning that the database which the Telegram bot was using was prepared with information leaked in previous breaches, that too, raises some concerns.

Chief among them is the Aadhaar details corresponding to a person’s mobile number – the government has never publicly acknowledged whether Aadhaar data has ever been hacked. In fact, in 2018, former IT Minister Ravi Shankar Prasad had said in Parliament that Aadhaar’s security “cannot be broken even with the billionth effort”. It is unclear then how the bot could accurately display people’s Aadhaar numbers corresponding to their mobile numbers.

Next steps

The Health Ministry has asked CERT-In to look into this issue and submit a final report. Chandrasekhar said the National Data Governance policy has been finalised that will create a common framework of data storage, access and security standards across all of the government. Queries sent to CERT-In on the issue did not elicit a response.