No data breach in CoWIN: Govt
New Delhi: Amid reports of an alleged breach of data on the CoWIN platform, the Centre on Monday said these reports were “without any basis” and “mischievous in nature”, and that the matter has been reviewed by the country’s nodal cyber security agency CERT-In.
The CoWIN portal is completely safe and has adequate safeguards for data privacy, the Union health ministry said in a statement, adding that an internal exercise has been initiated to review the existing security measures.
The health ministry clarification came after reports earlier in the day suggested a CoWIN (Covid Vaccine Intelligence Network) data breach, which reportedly allowed access to certain personal information that an individual gave on the government’s portal for Covid-19 vaccinations.
Reports and posts circulating on the social media claimed that information, including a person’s phone number, gender, ID card information, date of birth, the last four digits of Aadhaar, and the name of the centre where the vaccine was received were also leaked on the channel.
The Trinamul Congress alleged the leaked data included the details of Rajya Sabha MP Derek O’Brien, senior Congress leaders P. Chidambaram, Jairam Ramesh and K.C. Venugopal, Rajya Sabha deputy chairman Haribansh Narayan Singh, Rajya Sabha MPs Sushmita Dev, Abhishek Manu Singhvi and the Shiv Sena’s Sanjay Raut.
Reacting to this, Union minister of state for electronics and information technology Rajeev Chandrashekhar said the Indian Computer Emergency Response Team (CERT-In) had immediately responded and it does not appear that the CoWIN app or database has been directly breached. He said a Telegram bot was throwing up CoWIN app details upon the entry of phone numbers.
The minister said: “The data being accessed by the bot is from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past. It does not appear that the CoWIN app or database has been directly breached.”
The health ministry said there are reports alleging the breach of data from the CoWIN portal, the repository of all data of beneficiaries who have been vaccinated against Covid-19. “It is clarified that all such reports are without any basis and
mischievous in nature. The Co-WIN portal of the health ministry is completely safe with adequate safeguards for data privacy,” it said.
Furthermore, security measures are in place on the CoWIN portal with Web application firewall, regular vulnerability assessment, and identity and access management, it said.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” the ministry said.
“CERT-In, in its initial report, has pointed out that backend database for the Telegram bot was not directly accessing the APIs of CoWIN database,” the statement said. It said certain Twitter users have claimed the personal data of individuals who have been vaccinated is being accessed using a Telegram (online messenger application) bot.
It is reported that the bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary, the ministry said.
CoWIN was developed and is owned and managed by the Union health ministry. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of CoWIN and for deciding on policy issues.
At present, the statement said, individual-level vaccinated beneficiary data access is available at three levels. The first is the beneficiary dashboard -- the person who was vaccinated can have an access to the CoWIN data through use of the registered mobile number with OTP authentication.
The second is a CoWIN authorised user -- the vaccinator with use of authentic login credentials provided can access personal level data of vaccinated beneficiaries. And, then there is API-based access -- the third party applications who have been provided authorised access of CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.