The Centre on Monday categorically denied reports claiming a breach of data of beneficiaries registered on the CoWIN platform, labeling them as “baseless” and “mischievous.” Union Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, said the Indian Computer Emergency Response Team (CERT-In) swiftly responded and found no evidence of a direct breach of the CoWIN app or database.
Chandrasekhar disclosed that a Telegram bot was accessing data from a threat actor database, which seemed to consist of previously breached or stolen information.
Meanwhile, India Today channel has claimed to have successfully identified the person behind the operation of the Telegram bot that generated personal details of vaccinated individuals. According to their investigation, the hackers clarified that they did not breach the CoWIN platform itself but instead discovered vulnerabilities in an associated platform.
The identification of the anonymous individual was made possible by India Today’s Open Source Investigations (OSINT) team, which traced the digital trail left by the person on the encrypted messaging platform.
However, Opposition parties have intensified their demands for a thorough inquiry into the alleged data breach. Congress leaders expressed grave concerns over what they perceive as “criminal negligence” on the part of the government and questioned the delay in enacting a data protection law.
Karti Chidambaram, a Congress MP, and party spokesperson Shama Mohamed alleged that personal information of all Indian citizens registered on the CoWIN portal has been leaked on Telegram, including sensitive details such as phone numbers, Aadhar card, and PAN card information.
Mohamed accused the Modi Government of compromising the security and privacy of Indians, labeling it as criminal negligence. They directed their enquiries towards Minister of Electronics and Information Technology Ashwini Vaishnaw.
Saket Gokhale, the national spokesperson for the Trinamool Congress (TMC), too criticised Vaishnaw’s handling of the situation, underscoring the seriousness of the matter given his key portfolios related to electronics, communications, information technology, and railways. Gokhale questioned the Prime Minister’s tolerance of what he perceives as Vaishnaw’s incompetence. The Communist Party of India (Marxist) [CPI(M)] echoed the demands for a comprehensive investigation into the alleged breach.
In response, the Health Ministry issued a statement reiterating the safety of the CoWIN portal and the presence of robust safeguards for data privacy.
The Ministry refuted the reports alleging a data breach as baseless and mischievous. It assured that the CoWIN portal maintains stringent security measures, including a web application firewall, regular vulnerability assessments, and Identity and Access Management. The ministry has initiated an internal review of existing security measures to ensure their efficacy.
As the controversy continues to brew, the demand for an inquiry into the alleged data breach grows stronger. The government remains steadfast in asserting the security of the CoWIN portal, while the Opposition parties persist in their calls for further investigation to guarantee the privacy and security of citizens’ data.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” the Ministry said. “CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database,” the statement said.
At present, the statement said, individual-level vaccinated beneficiary data access is available at three levels.
The first is the beneficiary dashboard -- the person who has been vaccinated can have an access to the Co-WIN data through use of registered Mobile number with OTP authentication. The second is CoWIN authorised user -- the vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries.
And, then there is API-based access -- the third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.
The CoWIN system tracks and keeps record of each time an authorised user accesses the CoWIN system, the statement said.
“Without OTP, vaccinated beneficiaries’ data cannot be shared to any BOT,” the ministry said. It further said only the year of birth is captured for adult vaccination but it seems that on media posts it has been claimed the Bot also mentioned the date of birth. Also, there is no provision to capture the address of beneficiary,” it said.
“The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application,” it said.
Media reported the personal data of individuals who have been vaccinated is being accessed using a Telegram (online messenger application) Bot. It is reported that the bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary. The reports published the vaccination data of many people including CoWIN CEO, Union Health Secretary, several Ministers and politicians.
