The Centre on Monday assured people that adequate security measures were in place for the CoWIN application, the country’s foremost Covid-19 vaccination platform, and said that the reports of data breach were “without any basis and mischievous in nature”.
“With reference to some alleged Cowin data breaches reported on social media, the Indian Computer Emergency Response Team (CERT-In, the nodal agency for cybersecurity incidents) has immediately responded and reviewed this… It does not appear that Cowin app or database has been directly breached,” said Union minister of state for electronics and information technology, Rajeev Chandrasekhar.
The Union ministry of health and family welfare said that it had requested CERT-In to look into the issue and submit a report. “The CoWIN portal is completely safe with adequate safeguards for data privacy. “There are reports alleging breach of data from the CoWIN portal of the Union health ministry, which is repository of all data of beneficiaries who have been vaccinated against Covid-19. It is clarified that all such reports are without any basis and mischievous in nature. CoWIN portal of the health ministry is completely safe with adequate safeguards for data privacy,” the ministry said in a statement.
Earlier in the day, reports had emerged that personal data of vaccinated Indians, including senior politicians, bureaucrats and journalists, had been leaked online. Trinamool Congress (TMC) national spokesperson Saket Gokhale shared the screenshots of the purported breach on his official Twitter handle. He said that the leaked data included details of Rajya Sabha deputy chairman Haribansh Narayan Singh, health secretary Rajesh Bhushan, Congress leaders P Chidambaram, Jairam Ramesh, Abhishek Manu Singhvi and KC Venugopal, Rajya Sabha MPs Derek O’Brien, Sushmita Dev and Sanjay Raut. “There has been a major data breach of Modi Govt… This is a matter of serious national concern,” Gokhale said.
Reacting to the allegations, minister Rajeev Chandrasekhar said, “A Telegram Bot was throwing up Cowin app details upon entry of phone numbers. The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from past.”
The health ministry also said that CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database.
“The development team of COWIN has confirmed that there are no public APIs (application programming interface) where data can be pulled without an OTP (one-time password). In addition to the above, there are some APIs which have been shared with third parties such as ICMR (Indian Council of Medical Research) for sharing data,” the ministry said in its statement.
“It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application,” it added.
The health ministry said that it has also initiated an internal exercise to review the existing security measures of CoWIN.
Minister Rajeev Chandrasekhar said, “National Data Governance policy has been finalised that will create a common framework of data storage, access and security standards across all of government.”
National Health Authority (NHA) chief Ram Sewak Sharma, who heads the CoWIN portal, was not available for a comment.
This is not the first time CoWIN has come under scanner for being vulnerable to data breach. Earlier, NHA dismissed the allegations of a CoWIN breach in 2022. “CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely safe and secure. Any news about data leaks from CoWIN holds no merit,” Sharma tweeted in January, 2022. In June 2021, Sharma refuted breach allegations after Dark Leak Market, a hacker group, claimed to have details of 15 crore Indians.
CoWIN was launched in January 2021 to help book slots for vaccination. Registration in the app is mandatory for all beneficiaries who would receive the Covid-19 vaccines. Vaccination certification is generated only for beneficiaries who are registered on the app. Users need photo identities to register themselves in the app.
