Govt says CoWIN safe, data from ‘past breach’; how is it safe then, asks Oppn
The government on Monday (June 12) termed the reports claiming a CoWIN data breach as “mischievous” and “without any basis”, news agencies reported. It added that the country’s nodal cyber security agency CERT-In has reviewed the matter and given the COVID-19 vaccination portal a clean chit.
“The CoWIN portal is completely safe, with adequate safeguards for data privacy,” the Health Ministry said in a statement, adding that the existing security measures are being reviewed.
The statement came after Trinamool Congress spokesperson Saket Gokhale shared screenshots of the data of certain senior political leaders on his official Twitter account in the morning, claiming those were available on messenger app Telegram as a result of the CoWIN breach.
“CoWIN not directly breached”
Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, said the Indian Computer Emergency Response Team (CERT-In) responded immediately and it did not appear that the CoWIN app or database had been directly breached. He said a Telegram bot was throwing up CoWIN app details upon entry of phone numbers.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023
“The data is being accessed by a bot from a threat actor database, which seems to have been populated with previously breached/stolen data. It does not appear that the CoWIN app or database has been directly breached,” the minister tweeted.
The CoWIN portal is the repository of all data of beneficiaries who have been vaccinated against COVID-19.
“All steps taken”
“It is clarified that all such reports (of data breach) are without any basis and mischievous in nature. Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy,” the government statement read.
Furthermore, security measures are in place on the CoWIN portal with a web application firewall, regular vulnerability assessment, and Identity and Access Management, it said.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” the ministry said. “CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs (application programming interfaces) of CoWIN database,” the statement said.
“…the bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary,” the ministry said.
Congress’s questions
However, the government’s explanation did not satisfy the Opposition. Congress general secretary KC Venugopal posted a tweet asking several pertinent questions. He pointed out that the ministry’s statement showed that data had been previously breached.
I am appalled at your casual response to the breach of privacy of 1.4 billion Indians.
1. If a Telegram bot can throw up COWIN details simply by inputting mobile numbers, it will not take too long for an automated software to harvest all COWIN data within a matter of hours.
— K C Venugopal (@kcvenugopalmp) June 12, 2023
“Since you mention ‘previously breached/stolen data,’ you’re clearly admitting that COWIN data has already been breached,” Venugopal pointed out.
“If a Telegram bot can throw up COWIN details simply by inputting mobile numbers, it will not take too long for an automated software to harvest all COWIN data within a matter of hours,” the tweet read.
“This breach clearly shows that COWIN data was not encrypted. If it were, only those with the necessary authorisation will be able to access such data, and random Telegram bots will not be able to decrypt such personal data,” it added.
Saket Gokhale also tweeted asking similar questions.
Also read: 35-40 countries, including Japan, in talks with India to adopt UPI: RBI official
“No data sharing without OTP”
The CoWIN app was developed and is owned and managed by the Ministry of Health and Family Welfare. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues.
At present, beneficiary data access is available at three levels on the portal, the statement explained. The first is the beneficiary herself/himself, through her/his registered mobile number with OTP authentication. The second is the vaccinator, a CoWIN-authorised user, with authentic login credentials. Then, there are the third-party applications (APIs) that can gain access only through beneficiary OTP authentication.
The CoWIN system keeps a record every time an authorised user accesses the CoWIN system, the statement said. “Without OTP, vaccinated beneficiaries’ data cannot be shared to any bot,” the ministry said.
It added that only the year of birth is captured for adult vaccination, unlike the date of birth as suggested in the breach claims. Also, beneficiaries’ addresses are not capture, it said.
(With agency inputs)
