The Indian government has responded to reports of an alleged data breach of the CoWIN database, the platform used for COVID-19 vaccine registration and administration. The government stated that the data appeared to have been sourced from a different database containing information stolen in the past, indicating that there was no direct breach of the CoWIN app or database.
The response came following reports that an automated bot on Telegram was surfacing personal details of individuals who had registered with the CoWIN platform to receive COVID-19 vaccinations during the pandemic. Concerns were raised about the security of the platform and the potential exposure of sensitive data.
Minister of State for Electronics and Technology, Rajeev Chandrasekhar, took to Twitter to address the issue. He mentioned that the Indian Computer Emergency Response Team (CERT-In) had responded and reviewed the reports of breaches that surfaced on social media. Chandrasekhar revealed that a Telegram bot was sharing CoWIN app details when a phone number was entered. However, the bot was taken down shortly after its discovery and subsequent media coverage.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023
Chandrasekhar further explained that the bot was accessing data from a threat actor database. The information available in this database appeared to have been sourced from a previous data breach. However, specific details about the previous breach, including its origin and whether it was previously detected or disclosed, were not shared.
Importantly, the minister clarified that it did not appear that either the CoWIN app or database was directly breached. This raised questions about how the details of CoWIN users were accessible if there was no direct breach of the platform.
In a press release, the government emphasized that CoWIN data access was available at three levels: the vaccine recipient, the authorized vaccinator, and third-party applications with API-based access. The platform logs each attempt by an authorized vaccinator to access the CoWIN system, ensuring accountability.
The government assured that data from the CoWIN platform could not be accessed by an automated bot without an OTP (one-time password) sent to the vaccine recipient. There was no public API with such a level of access. The government also clarified that the system did not record the recipient’s address but only recorded the year of birth for vaccination, contradicting claims made on social media regarding the bot providing the recipient’s date of birth.
The CoWIN development team confirmed that some APIs were shared with trusted third parties, such as the Indian Council for Medical Research (ICMR), but access requests were only accepted through a trusted API whitelisted by the CoWIN application. This suggests that there might have been an API that could access data without requiring an OTP.
To address the concerns and investigate the issue further, the Union Health Ministry has requested CERT-In to conduct a thorough investigation and submit a detailed report on its findings.
While the government has emphasized that there was no direct breach of the CoWIN app or database, the incident has highlighted the importance of data security and the need for constant vigilance in safeguarding sensitive information. Measures such as regular security audits, stringent access controls, and continuous monitoring should be implemented to ensure the protection of user data and maintain public trust in digital platforms like CoWIN.
As the investigation unfolds, the government remains committed to ensuring the privacy and security of individuals’ data and taking necessary steps to address any vulnerabilities that may arise.
