Recently, there have been reports of data breaches on the CoWIN app. In response to these reports, the Ministry of Health said on Monday in a statement that the data breach of beneficiaries of the COVID vaccinations is “without any basis and mischievous in nature.” It is asserted that the Indian Computer Emergency Response Team (CERT-In) has been asked to investigate this data leak and submit a report. The Ministry has reiterated that the CoWIN (Covid Vaccine Intelligence Network) portal is safe and secure, and the portal has a proper mechanism of defence that ensures data privacy.
Also Read: Reports of breach of data from CoWIN without any basis: Health Ministry
The Union Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, took to Twitter and tweeted, “It does not appear that the CoWIN app or database has been directly breached.” The Minister clarified that the data that the bot was accessing was from another platform that contained previously stolen data, and this platform was not CoWIN.
Chandrasekhar claimed in a tweet that, with reference to some alleged CoWIN data breaches that were primarily reported on social media, the CERT-In has immediately responded and reviewed the situation at hand. He further explained that a Telegram bot was giving out information when a user entered their phone number. Then, the bot used it to access another database that looked like it but had been populated with previously stolen data. This implied that the CoWIN app or the database had not been directly breached. Further, the minister claimed that a national data governance policy has been constructed that consists of a common framework for data storage, access, and security standards across all of government.
More than the breach of the data on CoWIN, it is the fact that CoWIN serves the functions of registration, appointment scheduling, identity verification, vaccination, and certification of each vaccinated member. Further, the concern arises due to the fact that the CoWIN platform has been amalgamated with the Aarogya Setu and UMANG apps.
The government’s efforts to populate mobile governance and bring e-government services to all citizens led to the development of UMANG (Unified Mobile Application for New-Age Governance). It was constructed by the Ministry of Electronics and Information Technology and the National e-Governance Division (NeGD). It serves the purpose of providing e-government services ranging from the central government to local bodies.
According to the reports, the breach of data was facilitated by entering the phone number of a person, and the bot responded with details such as the dentification number of the document that was submitted during vaccination (like Aadhaar, passport, or PAN card), gender, date of birth, and the centre where the vaccine shot was administered. If the user entered the Aadhar card number instead of the phone number, then that too was responded to with similar information.
The Union Health Ministry has claimed that it has urged the CERT-In to investigate the situation. Along with the investigation, an internal review is underway to analyse the security measures that are in place at the moment on the CoWIN app. In a statement, the Ministry added, “CERT-In, in its initial report, has pointed out that the back-end database for the Telegram bot was not directly accessing the APIs of the CoWIN database.”
Expanding on beneficiary data access, currently, the data of an individual can be accessed at three levels. This includes the Beneficiary dashboard where the individual can access the data by entering their mobile number and then the OTP. Then, the authorised user of the CoWIN app can access the data by entering their login credentials, and some third-party applications have been provided with access to CoWIN APIs, but the data can be accessed only by entering OTP authentication.
The Telegram “bot” is disclosing personal information about several opposition leaders, including Trinamool Congress leader and Rajya Sabha member Derek O’Brien, former Union Minister P. Chidambaram, Congress leader Jairam Ramesh, Rajya Sabha Deputy Chairman Harivansh Narayan Singh, and Rajya Sabha members Sushmita Dev, Abhishek Manu Singhvi, and Sanjay Raut. Though the bot has been taken down, there are still concerns in regards to the personal data.
Also Read: Revamped CoWIN platform incorporating UIP to be launched in September
Reportedly, in an exclusive interview with India Today, the hacker elaborated on how he did not breach the CoWIN platform but rather found vulnerabilities on an associated platform that he did not name. Reports suggest that the hacker was able to operate the Telegram chatbot that was responsible for providing personal data, while the same could be accessed through the vulnerabilities of the other platform.
A leak of this nature has previously been reported. A hacker collective known as “Dark Leak Market” claimed to have a database of around 15 crore Indians who had enrolled themselves on the CoWIN portal in June 2021. Back then, the assertions had also been debunked by health officials.
