The Indian government has dismissed reports suggesting a breach of data on the CoWin portal, which stores COVID-19 vaccination data. Union Minister Rajeev Chandrasekhar assures that there is no direct breach of the CoWin app.
Claims on Twitter Regarding Data Access
Certain posts on Twitter have alleged that personal data of vaccinated individuals is being accessed through a Telegram BOT. The BOT reportedly retrieves individual data using mobile numbers or Aadhaar numbers.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023
Reports Deemed Baseless and Mischievous
The government clarifies that these reports are unfounded and mischievous. The Co-WIN portal of the Health Ministry is entirely secure, with robust measures in place to safeguard data privacy.
The portal utilizes a Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessments, and Identity & Access Management. Data access is only granted through OTP authentication.
CoWin Data Access Levels – The Co-WIN portal allows data access at three levels:
- Beneficiary dashboard: Vaccinated individuals can access their own Co-WIN data using their registered mobile number with OTP authentication.
- Authorized user of Co-WIN: Vaccinators who have verified login credentials can access personal-level data of vaccinated beneficiaries. The system tracks every authorized user’s access activity.
- Access through APIs: Personal-level data of vaccinated beneficiaries can be accessed by third-party applications that have authorized access to Co-WIN APIs, with the beneficiary’s OTP authentication.
Clarification on the Telegram BOT
Data of vaccinated beneficiaries cannot be shared with any BOT without OTP authentication. Only the Year of Birth (YOB) is captured for adult vaccination; claims suggesting the BOT also captures the Date of Birth (DOB) are incorrect. There is no provision to capture the beneficiary’s address.
No public APIs allow data access without OTP
The developers of CoWin assure that OTP verification is required for any data retrieval through public APIs. Some APIs have been shared with trusted third parties, such as the Indian Council of Medical Research (ICMR), but data requests through these APIs require specific whitelisted access.
Government Actions to Address the Issue
The Union Health Ministry has sought the Indian Computer Emergency Response Team (CERT-In) to probe the matter and report back. Meanwhile, CoWIN’s security measures are undergoing an internal check to secure the data. CERT-In’s initial report indicates that the Telegram bot’s backend database does not directly access the CoWin database APIs.
Commenting on the reports, Mr. Rajeev Chandrasekhar, Union Minister of State for Information Technology, said:
Ministry checked the reports of data leak and found that CoWin app or database has not been “directly breached”. The data being accessed by a bot is from a threat actor database, which seems to have been filled with previously leaked/stolen data. It does not appear that the CoWin app or database has been directly breached.