As part of its investigation into the alleged CoWIN data breach, the Indian Computer Emergency Response Team (CERT-In) — the nodal cyber security agency — is in discussions with at least 11 state governments that had developed their own databases during the Covid-19 pandemic and seeded citizens’ personal data including their Aadhaar details, The Indian Express has learnt. The agency is looking into any potential leaks that could have happened from the databases of these states. While Karnataka and Kerala are learnt to be among the 11 states, there is no information yet on the remaining states. “Some states had created their full-fledged databases during the pandemic to track things like containment zones and vaccination status of residents. Some health workers in the states may also have had access to that data, which in some cases was stored on local devices. CERT-In has expanded the scope of its investigation into the issue by assessing whether one of these databases was impacted,” said a senior Union government official. During preliminary discussions, Karnataka and Kerala have indicated that they had created their respective databases during the pandemic to monitor containment zones, the official said. CERT-In is also coordinating with messaging platform Telegram, where a bot was sharing citizens’ sensitive data, allegedly sourced from the CoWIN database, to ascertain the identity of the person or group behind it. However, the messaging platform has told the agency that the group that was operating the bot, called ‘hak4learn’, was using a virtual private network (VPN) to access the service, due to which it was difficult to pinpoint their identity or location. Telegram, which was founded in Russia and is now headquartered in the British Virgin Islands, did not respond to The Indian Express's queries on the issue. Earlier this week, following reports that CoWIN data had been breached and was being shared on Telegram through a bot, the health ministry had asked CERT-In to probe the issue and submit a report. CERT-In is expected to share its report with the ministry next week. The health ministry had said the CoWIN system was “completely safe with adequate safeguards for data privacy” and all reports of a breach were “without any basis and mischievous in nature”. Rajeev Chandrasekhar, Minister of State for Electronics and IT, had said that CERT-In had reviewed the alleged breach, and the data being accessed by the Telegram bot was from a “threat actor database” which seems to have been populated with previously breached data, which was not related to CoWIN. “It does not appear that the CoWIN app or database has been directly breached,” he had said. Meanwhile, TMC MP Derek O’Brien is learnt to have filed a complaint with Kolkata’s cyber police, demanding an investigation into the issue. “.there is a notorious conspiracy at play to make available sensitive information to private players through government resources,” he said in his complaint.
