Govt denies reports of CoWIN breach, cites data ‘stolen in past’

The data being accessed by the Telegram bot was from a “threat actor database which seems to have been populated with previously stolen data stolen in the past,” he said.

In a statement, the Union Health Ministry said the Centre has initiated an internal exercise to review the security measures of the vaccine management portal.

It said data from CoWIN can be accessed only by beneficiaries through their registered mobile number by using a one-time password; by an authorised vaccinator or personnel, but their login is recorded by the system each time; and by authorised third-party applications, but only with beneficiary OTP authentication.

The health ministry clarification, however, did not address the question of how the Telegram bot was able to throw up citizens’ data linked to a phone number. There are no details on past data breaches that the government has now raised, since it has never publicly acknowledged that Aadhaar data has been hacked. CERT-In did not respond to queries on the issue.

“CERT-In, in its initial report, has pointed out that the backend database for Telegram bot was not directly accessing the APIs of CoWIN database,” the health ministry said in its statement. API, or application programming interface, helps two applications share data with each other.

Sources said there are over 110 entities, including seven-eight government entities, that are using the APIs to access CoWIN data.

The ministry said the development team of the platform confirmed that there were no public APIs that could pull the data without an OTP, but there is one API that shares data with third parties such as the Indian Council of Medical Research (ICMR) just by calling the phone number linked to the Aadhaar number. The statement said this API only accepts requests from trusted APIs white-listed by CoWIN.

The Telegram account, which has been inactive since Monday morning, showed personal details of an individual when the phone number used to sign up for the CoWIN portal was messaged to the bot. Claiming to source information from the CoWIN portal, the Telegram bot showed the name of the person, the government identification used while getting the vaccination, where he/ she got the vaccination. It also revealed all the people registered with CoWIN with the same phone number – the portal allows one person to create accounts of multiple individuals with the same phone number.

This raised concerns among cybersecurity and privacy experts, owing to the sheer scale of data available with the CoWIN portal — more than 100 crore individuals have received vaccinations after signing up through the portal. This includes more than 4 crore children between the age of 12-14, and more than 37 crore people over the age of 45, a significant part of which could be senior citizens.

The details of several politicians and high-ranking officials, including the health secretary and the head of the team managing CoWIN, were also accessed by a news organisation, The Fourth, which first reported on the alleged breach.

The government, however, maintained that the data was “completely safe” with adequate safeguards. “It is clarified that all such reports are without any basis and mischievous in nature,” the statement said.

It said that while only the year of birth is captured by CoWIN for adult beneficiaries, the bot was said to be providing the date of birth too; that the portal has no provision for capturing addresses that were also said to be revealed by the bot.
https://twitter.com/b_sreejan/status/1668068417239396352
As per CoWIN’s privacy policy, the platform has “reasonable security measures” and safeguards in place to protect users’ privacy and personal information. The system also takes “feedback” about its performance and beneficiary experience – it uses information including name, mobile number, date of vaccination, and vaccination status for this.

Opposition leaders raised concern about the alleged data breach. Posting a screenshot of his own data, Congress MP Karti Chidambaram tweeted: “In its Digital India frenzy, GoI has woefully ignored citizen privacy. Personal data of every single Indian who got Covid-19 vaccination is publicly available. Including my own data. Who let this happen? Why is GoI sitting on a data protection law? @AshwiniVaishnaw must answer.”

Sharing screenshots of data related to some TMC and Congress leaders, TMC national spokesperson Saket Gokhale tweeted: “There has been a major data breach of Modi Govt where personal details of all vaccinated Indians including their mobile numbers, Aadhaar numbers, passport numbers, voter ID, details of family members etc. have been leaked & are freely available.”

“Why is the Modi Govt including Home Ministry not aware of this leak & why haven’t Indians been informed about a data breach? Who has the Modi Govt given access to sensitive personal data of Indians including Aadhaar & passport numbers which enabled this leak? This is a matter of serious national concern. And predictably, the Minister in-charge of this is @AshwiniVaishnaw who heads the Electronics, Communications, & IT portfolios in addition to Railways,” he tweeted.

In 2021, allaying the fears of a breach of CoWIN data, the chairman of the Empowered Group on Vaccine Administration, R S Sharma, had said: “The claims of so-called hackers on the dark web, relating to alleged hacking of the CoWIN system and data leak, is baseless. We continue to take appropriate steps as are necessary, from time to time, to ensure that the data of the people is safe with Co-WIN.”

From the homepage

US revoked visas of Indian business executives over link to fentanyl trade: Embassy

‘I respect all religions’: CJI Gavai on critical social media posts over his comments in Khajuraho case

France’s Macron to submit ‘photographic, scientific evidence’ that wife Brigitte is a woman