Government sources said the portal collected only the date on which when the individual received anti-Covid-19 vaccine doses.
People lined up for the Covid 19 vaccination. (iStock)
CoWIN’s “state-of-the-art security infrastructure” has been compromised, a report said.
However, in a media statement released on Monday, 12 June, the Union government refuted the report, terming it “without any basis and mischievous in nature”. It added that CERT-IN would probe the alleged data leak, and submit a report.
The health ministry has also initiated an internal review of CoWIN’s security features.
Incidentally, more than a year ago, Dr RS Sharma, the Chief Executive Officer of the National Health Authority, assured the country of a secure portal holding the personal data of Indians.
Unknown to him, a Telegram chatbot reportedly gave away the details of those who registered themselves on CoWIN for getting vaccinated against Covid-19.
CoWIN is the Indian government web portal for Covid-19 vaccination registration, owned and operated by the Ministry of Health and Family Welfare.
“#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit,” Dr Sharma tweeted late on 21 January 2022.
#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit.
— Dr. RS Sharma (@rssharma3) January 21, 2022
The multiple hashtags and the “state-of-the-art security infrastructure”, apparently, did not keep the personal data safe, Reshma Asokan, a reporter with a Malayalam news portal, The Fourth News, found out.
In a damning report, the relatively new The Fourth News exposed chinks in the CoWIN armour, and downloaded the details of several prominent politicians and officials, including Dr Sharma and his family members, using a Telegram BOT.
According to the report, Dr Sharma used his passport, number ******49, to register on the CoWIN portal. He was also the first Director General of the Unique Identification Authority of India (UIDAI) and authored a book, The Making of Aadhaar: World’s Largest Identity Platform.
The BOT provided free of cost the vaccine recipient’s name, gender, phone number, identification card number, and date of birth while furnishing the individual’s mobile phone number or Aadhaar card number. It also returned the vaccine used and the name of the vaccination centre.
The BOT also claimed to provide various details about Indians.
South First could not independently verify the breach. Following the expose, the Telegram bot, hak4learn, stopped functioning.
On Monday, 12 June, the BOT did not provide the details. “Aadhaar and number search mode are not available from now,” it said, “… because we are in news”.
Several users wanted to know whether the BOT would be back. “Probably yes,” the hackers replied on Monday.
The hackers operate through multiple social media platforms and offer to provide any information in return for money.
Experts took the breach seriously since the registered members of CoWIN have to undergo several security checks, including OTP, even to download their vaccination certificates.
The Fourth News expose has whipped up a storm across the country, with the Opposition parties demanding the Union government to conduct a thorough probe and fix responsibility for the security breach.
The Trinamool Congress’s national spokesperson Saket Gokhale shared screenshots of the alleged security breach on his Twitter handle.
“There has been a MAJOR data breach of Modi Govt where personal details of ALL vaccinated Indians including their mobile nos., Aadhaar numbers, Passport numbers, Voter ID, Details of family members etc. have been leaked & are freely available,” he tweeted.
The screenshots Gokhale shared included the Aadhaar card numbers, gender, date of birth and vaccination centres of senior politicians including Trinamool’s Rajya Sabha MP Derek O’Brien, former Union minister P Chidambaram, Congress leaders Jairam Ramesh and KC Venugopal.
“This is a matter of national concern,” Gokhale said in a series of tweets. He demanded that Union Minister Ashwini Vaishnaw, holding the Electronics, Communications and IT portfolios, explain the breach.
He sought to know from the government why Indians were not informed about the data breach
“Who has the Modi Govt given access to sensitive personal data of Indians incl Aadhaar & Passport nos. which enabled this leak,” he asked.
SHOCKING:
There has been a MAJOR data breach of Modi Govt where personal details of ALL vaccinated Indians including their mobile nos., Aadhaar numbers, Passport numbers, Voter ID, Details of family members etc. have been leaked & are freely available.
Some examples 👇
(1/7)
— Saket Gokhale (@SaketGokhale) June 12, 2023
CPI(M) secretary Sitaram Yechury urged the government to find out those behind the data leak and initiate stringent action against them.
He said the leak amounted to the violation of a Supreme Court order that upheld privacy as a fundamental right.
Acting president of the Mahila Congress, Netta D’Souza shared screenshots of registration details collected through the “alarmingly big” leak. She wanted to know who benefitted from the leak.
Supriya Sule, the working president of the NCP, termed the breach “an outright violation of our privacy rights”.
“The time has come for the government to step up and enact robust data protection legislation that unequivocally upholds our privacy.
“We demand action, transparency, and the assurance that our personal data will be shielded from any further breaches.,” she tweeted.
As citizens, we provide our data through various government portals, and it is imperative that the government takes definitive steps to guarantee the safety and security of our information, leaving no room for doubt about our privacy being safeguarded.
— Supriya Sule (@supriya_sule) June 12, 2023
Twitter user Sandeep Manudhane was more livid. “For this major breach, who is responsible? Of course, no one, because India still has no Data Protection Law at all! Enjoy the show while it lasts!” he said.
The data leak was widely discussed during the peak Covid-19 days. It was alleged that large-scale transfer of data of people’s personal and health details had taken place.
A similar allegation was raised last year also. It was said that personal identification details were leaked.
In June 2021, it was alleged that the personal data of 150 million Indians were leaked. However, the Union Health Ministry refuted the reports about the data leak.
On Monday, the central Ministry of Health and Family Welfare asked the Indian Computer Emergency Response Team (CERT-IN) to look into the allegation and submit a report.
Formed in 2004, CERT-IN is the nodal agency dealing with cyber security threats such as hacking and phishing.
In the statement issued on Monday, the health ministry explained such a breach, as reported, is not possible.
“It is clarified that all such reports are without any basis and mischievous in nature,” the statement said.
“CoWIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on CoWIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management, etc.,” the ministry further said.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” it added.
The statement asserted that without OTP, vaccinated beneficiaries’ data cannot be shared to any BOT. “Only Year of Birth (YOB) is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also BOT mentioned date of Birth (DOB),” it said, adding that there is no provision to capture the addresses of beneficiaries.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳(Modiyude Kutumbam) (@Rajeev_GoI) June 12, 2023
The ministry also confirmed with CoWIN developers that the site has no public Application programming interfaces (APIs) through which data could be pulled without an OTP.
The statement further said that some APIs have been shared with third parties such as ICMR for sharing data.
“It is reported that one such API has a feature of sharing the data by calling using just a mobile number or Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application,” the ministry said.
However, the ministry has initiated an internal exercise to review CoWIN’s existing security measures.
“CERT-IN in its initial report has pointed out that backend database for Telegram BOT was not directly accessing the APIs of CoWIN database,” the statement added.
Meanwhile, Rajeev Chandrasekhar, the Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology of India, said “the data being accessed by BOT from a threat actor database, which seems to have been populated with previously stolen data.”
He dismissed any breach in CoWIN security. “It does not appear that CoWIN app or database has been directly breached,” the technocrat-politician tweeted.
May 10, 2024
May 09, 2024
May 09, 2024
May 09, 2024
May 09, 2024
May 09, 2024
