A significant data breach has exposed the personal information of hundreds of thousands of Indian citizens who received the COVID vaccination. Reports state that the information was posted on the Telegram channel “hak4learn” by a Telegram bot, which enabled access to the private data of millions of citizens. The bot operator made available the data of individuals who registered via the CoWIN site, including their ID card details, date of birth, phone number, and gender. By providing a person’s name, the bot claimed to be able to obtain the data.
Local news media has used the bot to access the private data of politicians, and on June 12, the bot stopped functioning. However, experts caution that the bot was probably merely a window for whoever hacked the database. “Usually, hackers reveal a slice of data publicly via a bot or web page to prove to the world they have said data and then sell it on the dark web,” says Srikanth Lakshmanan, a researcher who runs the digital payments collective Cashless Consumer. The fact that the bot has been shut down does not necessarily indicate the breach is over, says Lakshmanan, adding, “While the bot is down now, we don’t know where all the data is being traded.”
Some experts have argued that the scale of the breach, which affects several million users, makes it difficult to predict the consequences. The CoWIN vaccination monitoring app, which has more than one billion registered users, is noteworthy. However, allegations that the CoWIN site has been compromised are “without any basis,” and the health ministry has requested that the Computer Emergency Response Team investigate the accusations. The government said that the Co-WIN portal of the health ministry is entirely safe, with sufficient safeguards for data privacy and protection.
“The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP (one-time password). It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific, and the requests are only accepted from a trusted API, which has been white-listed by the CoWIN application,” said the ministry in a statement. The health ministry has also initiated an internal exercise to evaluate the CoWIN security procedures in place.
Minister Rajeev Chandrasekhar said, “National Data Governance policy has been finalized that will create a common framework of data storage, access, and security standards across all of government.” According to sources, the government is looking at instituting a centralized system to store citizens’ data and is mulling over bringing in a new data protection law to protect the personal information of residents.