There have been claims about a leak of data of citizens registered on the CoWIN platform, forcing the Opposition parties demand deterrent action.
CoWIN data breach. (iStock)
The Delhi police arrested a man from Bihar on Thursday, 22 June, in connection with the alleged leak of information from the CoWIN portal. A minor, who allegedly helped the man, has been detained.
The development gains importance since the Union government had denied any security breach on its CoWIN portal, a day after The Fourth News, a Malayalam news portal, reported the data leak.
On 12 June, the government rubbished the report, saying it was “without any basis and mischievous in nature”, but ordered a probe by the Indian Computer Emergency Response Team (CERT-IN), the country’s nodal cyber security agency.
The CERT-IN, after a review, said in its initial report that the backend database for the Telegram bot, which is at the centre of the alleged leak, was not directly accessing the Application Programming Interface (API) of the CoWIN database.
In a statement, the Union Health Ministry also said that an internal exercise was initiated to review the existing security measures.
Ten days after the government’s denial, the Delhi Police’s Intelligence Fusion & Strategic Operations (IFSO) unit arrested the man from his residence in Bihar.
The man allegedly used a chatbot to provide information on those registered with CoWIN over Telegram.
The police said the man leaked personal details of politicians, bureaucrats, and others on the social media platform. He allegedly took the help of his mother, a health worker, to access the data from the CoWIN portal.
The man’s identity has not been revealed.
“Though the government was in denial initially, the arrest has once again validated the report,” B Sreejan, Director (News), of The Fourth News said.
“But the real question is whether the arrested man is the only culprit. The investigation should find if there are more leaks and plug them,” he added.
More than a year ago, Dr RS Sharma, the Chief Executive Officer of the National Health Authority (NHA), assured the country of a secure portal holding the personal data of Indians.
Unknown to him, a Telegram chatbot reportedly gave away the details of those who registered themselves on CoWIN for getting vaccinated against Covid-19.
CoWIN is the Indian government web portal for Covid-19 vaccination registration, owned and operated by the Ministry of Health and Family Welfare.
“#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit,” Dr Sharma tweeted late on 21 January 2022.
The multiple hashtags and the “state-of-the-art security infrastructure”, apparently, did not keep the personal data safe, Reshma Asokan, a reporter with a Malayalam news portal, found out.
In a damning report, the relatively new portal exposed chinks in the CoWIN armour, and downloaded the details of several prominent politicians and officials, including Dr Sharma and his family members, using a Telegram BOT.
According to the report, Dr Sharma used his passport, number ******49, to register on the CoWIN portal. He was also the first Director General of the Unique Identification Authority of India (UIDAI) and authored a book, The Making of Aadhaar: World’s Largest Identity Platform.
The BOT provided free of cost the vaccine recipient’s name, gender, phone number, identification card number, and date of birth while furnishing the individual’s mobile phone number or Aadhaar card number. It also returned the vaccine used and the name of the vaccination centre.
The BOT also claimed to provide various details about Indians.
Following the expose, the Telegram bot, hak4learn, stopped functioning. “Aadhaar and number search mode are not available from now,” it said, “… because we are in news”.
Responding to the news report, the central Ministry of Health and Family Welfare confirmed with CoWIN developers that the site has no public APIs through which data could be pulled without an OTP.
In a statement, the ministry said that some APIs have been shared with third parties such as ICMR for sharing data.
“It is reported that one such API has a feature of sharing the data by calling using just a mobile number or Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application,” the ministry said on 12 June.
Rajeev Chandrasekhar, the Minister of State for Skill Development and Entrepreneurship and Electronics and Information Technology of India, said on 12 June that “the data being accessed by BOT from a threat actor database, which seems to have been populated with previously stolen data”.
He dismissed any breach in CoWIN security. “It does not appear that CoWIN app or database has been directly breached,” the technocrat-politician tweeted.
(With PTI inputs)
Mar 08, 2024
Mar 05, 2024
Feb 07, 2024
Jul 28, 2022
