NEW DELHI: Describing reports of the CoWIN data leak as "mischievous" and "without any basis," the government on Monday claimed that the data collected by the portal was "completely safe."
However, the centre ordered a probe from the CERT-IN (Indian Computer Emergency Response Team) to look into the alleged data leak following reports that the personal information of people, including some opposition leaders and bureaucrats, have been breached from the CoWIN portal, India’s Covid-19 vaccination tracking platform.
As opposition targeted the government, Union Minister for Information Technology Rajeev Chandrasekhar, in a tweet said a Telegram Bot was throwing up Cowin app details upon entry of phone numbers. The data being accessed by a bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from past.”
He also said that it does not appear that the Cowin app or database has been directly breached. “National Data Governance policy has been finalised to create a common framework of Data storage, Access and Security standards across all of govt.”
Highlighting that the CoWIN portal is ‘completely safe with adequate safeguards for data privacy,’ the Union Health Ministry said, “It is clarified that all such reports are without any basis and mischievous in nature.”
The ministry said that “certain posts on the social media platform Twitter have claimed using Telegram (online messenger application) BOT, the personal data of individuals vaccinated is being accessed.”
It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary, it said.
The ministry said security measures are in place on the CoWIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal.”
The ministry requested CERT-In to look into the issue and submit a report. “In addition, an internal exercise has been initiated to review the existing security measures of CoWIN. CERT-In, in its initial report, has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database,” it said.
The ministry also said that CoWIN only collects their year of birth and that there is no provision to capture a person’s address on the portal.
In a tweet, Trinamool Congress (TMC) national spokesperson Saket Gokhale shared screenshots of the alleged data breach. He said the leaked data included details of Rajya Sabha Deputy Chairman Haribansh Narayan Singh; Union Health Secretary Rajesh Bhushan; Congress leaders P Chidambaram, Jairam Ramesh, Abhishek Manu Singhvi and KC Venugopal; Rajya Sabha MPs Derek O’Brien, Sushmita Dev and Sanjay Raut.
However, the Telegram account which shared the personal details has been inactive since morning.
This is not the first time CoWIN has come under the scanner for being vulnerable to data breaches. Such a breach was also reported in 2022. The government had denied it then and had said it was "safe and secure."
Congress spokesperson Shama Mohamed said the personal information of all Indian citizens, who were registered on the portal, had been leaked, including Aadhaar, Pan card, and mobile numbers. "The Modi government has compromised the security and privacy of Indians! This is criminal negligence."
In a statement, the CPI-M demanded a thorough investigation. "This is of serious concern and an infringement of the right to privacy, which the Supreme Court declared as a fundamental right of all Indians."
The CoWIN portal - a comprehensive cloud-based IT solution for planning, implementation, monitoring, and evaluation of COVID-19 vaccination in India is owned and operated by the union health ministry. It has details of over 100 individuals, including over four crore children between the age of 12-14 and over 37 crore people over the age of 45.