Govt Rubbishes Reports of Leak from CoWIN Platform, “Data Stored is Completely Safe”
Manas Dasgupta
NEW DELHI, June 12: The Union Health Ministry on Monday denied the reports of data breach of beneficiaries who have received COVID vaccination in the country are “without any basis and mischievous in nature” and claimed the data in the CoWIN portal — the country’s Covid-19 vaccination tracking platform — is completely safe,
The clarification was issued following reports on Monday morning that personal information of people registered on the portal has been breached. The reports, the Centre said, are “mischievous.”
“CoWIN portal of Health Ministry is completely safe with safeguards for data privacy… Only OTP authentication-based Access of Data is provided,” read a statement from the Union Health Ministry. Sensitive personal details of politicians, bureaucrats, and others have been making rounds on the social media platform Telegram, the data-driven news portal South Asia Index reported in a series of tweets on Monday morning.
The leaked data allegedly includes Aadhaar, voter ID, passport numbers and cellphone numbers of those who received Covid-19 vaccines, tweeted South East Asia Index. “Details of family members of all COVID-19 vaccinated Indians have also been leaked in this major breach,” read another tweet.
“The CoWIN (Covid Vaccine Intelligence Network) portal of the Health Ministry is completely safe with adequate safeguards for data privacy it maintained. “It does not appear that CoWIN app or database has been directly breached,” tweeted Rajeev Chandrasekhar, the Union Minister of State for Electronics, and Information Technology, clarifying that data being accessed by a bot from a threat actor database, seems to have been populated with previously breached/stolen data. He claimed that the database on Telegram was other than CoWIN.
The Union Health Ministry said it requested the Indian Computer Emergency Response Team (CERT-In) to investigate this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN. “CERT-In in its initial report has pointed out that the backend database for Telegram bot was not directly accessing the APIs of CoWIN database,” it said in the statement.
Chandrasekhar tweeted that a Telegram Bot was throwing up CoWIN app details upon entry of phone numbers. “National data governance policy has been finalised that will create a common framework of data storage, access and security across all of govt,” he tweeted.
But what is more worrying is the fact that CoWIN — which serves the function of registration, appointment scheduling, identity verification, vaccination and certification of each vaccinated member — has also been integrated into the Aarogya Setu and UMANG Apps.
UMANG (Unified Mobile Application for New-age Governance) is developed by Ministry of Electronics and Information Technology (MeitY) and National e-Governance Division (NeGD) to drive mobile governance in India. UMANG provides a single platform for all Indian Citizens to access pan India e-Gov services ranging from Central to Local Government bodies.
As per reports, the current data breach is possible if the mobile number of a person is entered — details such as the identification number of the document submitted for vaccination (Aadhaar, passport, PAN card and so forth), gender, date of birth, and the centre where the vaccine was administered, are provided as reply in an instant by the messenger bot in question.
These details could be accessed even if the Aadhaar number was entered instead of the phone number. The passport numbers of those who had updated the CoWIN portal for travel abroad were also leaked.
As per the information provided in the CoWin beneficiary, but only with OTP, the person who has been vaccinated can have access to the CoWIN data through the use of a registered mobile number with OTP authentication on the beneficiary dashboard. The vaccinator with the use of an authentic login credential provided can access the personal level data of vaccinated beneficiaries. But the COWIN system tracks and keeps a record of each time an authorised user accesses the CoWIN system.
The third-party applications that have been provided authorised access to CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication. Without OTP, vaccinated beneficiaries’ data cannot be shared with any BOT. Only the Year of Birth (YOB) is captured for adult vaccination, but it seems that on media posts it has been claimed that BOT mentioned the Date of Birth (DOB). There is no provision to capture the address of beneficiary. The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP.
Details, now available in the public domain, include that of Ram Sewak Sarma, chairman of CoWIN high-power panel (the leak gives information on the ID papers submitted for vaccination), senior BJP leader Meenakshi Lekhi and Congress general secretary K.C. Venugopal (location at which they got vaccinated), the mode of registration for Kerala Health Minister Veena George.
The Telegram bot (a programme that behaves like a normal chat partner with additional functions) — is also giving details of individuals and several Opposition leaders’ data including — Rajya Sabha MP and TMC Leader Derek O’Brien, former Union Minister P. Chidambaram, Congress leaders Jairam Ramesh, Deputy Chairman Rajya Sabha Haribansh Narayan Singh, Rajya Sabha MPs Sushmita Dev, Abhishek Manu Singhvi, and Sanjay Raut, among others.
While the bot has now been taken down, there are speculations of it returning. The CoWIN site provides vaccination certificates to the beneficiaries, which acted as Vaccine Passports during the COVID-19 pandemic for the beneficiaries and can be stored in DigiLocker. Users can access the platform via desktop, tablet, and mobile phones.
While there have been multiple questions about the leaks, health authorities have maintained that CoWIN has a state-of-the-art secure infrastructure and has never faced a security breach and even maintained that the data of the citizens are absolutely safe.
It was not the first time that safety of the CoWin data has come into question. In June 2021, a hacker group named ‘Dark Leak Market’ claimed that it had a database of about 15 crore Indians who registered themselves on the CoWIN portal. The health ministry had rubbished that claim also.
The Health Ministry in its latest statement added that security measures are in place on the CoWIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal.
COWIN was developed and is owned and managed by Health Ministry. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of CoWIN and for deciding on policy issues. Former CEO National Health Authority (NHA), chaired EGVAC which also included members from MoHFW and MeitY.