The Health Ministry on Monday said reports of data breach of CoWIN beneficiaries who received COVID vaccination are “without any basis and mischievous in nature.” It said the Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report. The CoWIN (Covid Vaccine Intelligence Network) portal is completely safe with adequate safeguards for data privacy, the Ministry maintained.
“It does not appear that CoWIN app or database has been directly breached,” tweeted Rajeev Chandrasekhar, Union Minister of State for Electronics, and Information Technology, clarifying that data being accessed by the bot from a threat actor database seems to have been populated with previously breached/stolen data. The database, he said, was other than CoWIN.
The Minister added that with reference to some alleged CoWIN data breaches reported on social media, @IndianCERT had immediately responded and reviewed this.
Further, he tweeted that a Telegram Bot was throwing up CoWIN app details upon entry of phone numbers.
“The national data governance policy has been finalised that will create a common framework of data storage, access and security across all of government,” Mr. Chandrasekhar tweeted.
But what is more worrying is the fact that CoWIN, which serves the functions of registration, appointment scheduling, identity verification, vaccination, and certification of each vaccinated member, has also been integrated in the Aarogya Setu and UMANG Apps.
UMANG (Unified Mobile Application for New-age Governance) is developed by the Ministry of Electronics and Information Technology (MeitY) and National e-Governance Division (NeGD) to drive mobile governance in India. UMANG provides a single platform for all Indian citizens to access pan India e-Gov services ranging from Central to local government bodies.
Meanwhile, as per reports, the current data breach is possible if the mobile number of a person is entered — details such as the identification number of the document submitted for vaccination (Aadhaar, passport, PAN card and so forth), gender, date of birth, and the centre where the vaccine was administered, are provided as reply in an instant by the messenger bot in question.
These details could be accessed even if the Aadhaar number was entered instead of the phone number. The passport numbers of those who had updated the CoWIN portal for travel abroad were also leaked.
