CoWIN data 'completely safe', reports of breach 'mischievous', clarifies govt
3 min read 12 Jun 2023, 04:40 PM ISTThe Central government has responded to the ‘CoWIN data leak’ reports, saying the data is ‘completely secure’
PremiumThe Central government has issued an official statement assuring that the CoWIN portal is ‘completely safe’ amid reports that a data leak has made personal details of may Indian citizen available on instant messaging app- Telegram. Earlier reports have stated that data from the CoWIN portal, which was used as a repository of personal details of those who received Covid vaccination, have been leaked on Telegram including details of many Indian citizens.
“The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP." the Centre said in their clarification note adressing the data breach reports.
The official statement cited reports stating that personal data like PAN number and Aadhar number of many Indian citizen including high profile political leaders had been made available on Telegram. The Indian health ministry called these reports ‘mischievous’ and ‘baseless’.
“Certain posts on the social media platform Twitter have claimed using a Telegram (online messenger application) BOT, the personal data of individuals who have been vaccinated is being accessed. It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary." the official statement read.
The ministry report also elaborated on the security measures taken for the CoWIN portal. They said that adequate safeguards for data privacy had been undertaken.
“It is clarified that all such reports are without any basis and mischievous in nature. Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal." the Indian Government's official statement read.
CoWIN portal of the Union health Ministry is repository of all data of beneficiaries who have been vaccinated against Covid19. The Indian government said that they have informed the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report.
Further an internal exercise has been initiated to review the existing security measures of CoWIN.
According to CERT's initial report backend database for Telegram bot was not directly accessing the APIs of CoWIN database.
“CoWIN was developed and is owned & managed by MoHFW. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of CoWIN and for deciding on policy issues. Former CEO National Health Authority (NHA), chaired EGVAC which also included members from MoHFW and MeitY." the official statement added.
The Indian government's official statement on the alleged data leak from CoWIN portal , also clarified on the data access steps shouldered by the government.
At present individual level vaccinated beneficiary data access on CoWIN portal is available at three levels.
-Beneficiary dashboard- The person who has been vaccinated can have an access to the Co-WIN data through use of registered Mobile number with OTP authentication.
-CoWIN authorized user- The vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries. But the CoWIN system tracks and keeps record of each time an authorized user accesses the CoWIN system.
-API based access – The third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.
On the Telegram bot that allegedly revealed data of Indian covid vaccine beneficianries, the Indian government said, “Without OTP vaccinated beneficiaries’ data cannot be shared to any BOT".
“Only Year of Birth is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also mentioned date of Birth (DOB). There is no provision to capture address of beneficiary." it added.
According to reports, the BOT, that allegedly revealed all the personal details of Indian citizen on Telegram has been disabled.