CoWIN Privacy Breach: Telegram Bot Leaks Data Of Those Vaccinated, Govt To Probe

In a major data breach, private information of thousands of Indian citizens – including politicians and celebrities – has been leaked after a Telegram bot uploaded the data of people who had registered on the CoWIN application to get their COVID-19 vaccination shots. 

The data leaked includes the names, date of birth, gender, phone number, Aadhaar details, passport details, location where the first dose was administered, reported The Fourth News and Manorama.

However, the Government of India released a statement on Monday, 12 June, saying,

The Telegram bot called ‘Truecaller’, was created on 1 June, and was being run by an account called ‘hak4learn’. It was deleted in the early hours of Monday, 12 June. However, FIT found that the bot became active again at about 12:30 pm, but was not returning any results.

There are multiple reasons why this data breach is a cause of concern.

The bot gives you the date of birth of individuals too which is linked to several other sensitive and private information.

Srikanth L, a digital identity expert from a consumer awareness collective, while speaking to FIT, said,

The scale of this breach is huge too. If registrations/appointments were made for multiple people using one mobile number, the bot gives you the details of all of those individuals. “Along with your personal data, the data of individuals in your family is also compromised. It’s a single database which has billions of records," says Srikanth.

It gives you the data of minors too. Srikanth, who had access to the bot after the breach was first reported by The Fourth News, also tried using some publicly available Aadhar card numbers like that of a minor victim, and some other fraudulent Aadhar cards of non-existent people. He told FIT, 

Srikanth also mentioned how the ‘digital-first’ vaccination drive essentially enabled centralised data collection by the government fully ignoring privacy concerns which other countries gave due importance to, providing paper based vaccination certificates.

Dr Anant Bhan, a public health expert, said to FIT, "This is a worrying incident and reinforces the importance of care and due diligence in dealing with privacy of health data and ensuring it is kept confidential."

Dr Bhan is a little concerned that an incident of such a scale might lead to "trust breakdown" among the general public. This could lead to an increased reluctance to share health data or to participate in public health initiatives.

He adds,

Ram Sewak Sharma, Chairman of the CoWIN high power panel and CEO of the  National Health Authority, told The News Minute, 

In January last year too, Sharma had claimed that CoWIN had “state-of-the-art security infrastructure and has never faced a security breach.”

Even Rajeev Chandrasekhar, Union Minister of State for Entrepreneurship, Skill Development, Electronics & Technology, took to Twitter to deny these allegations.

• Who all have access to this database now?

• In what ways can this data be misused?

• Will this impact the other ‘Digital First’ initiatives the government has been taking?

• Who will take responsibility?

FIT has reached out to the Health Ministry and the Ministry of Electronics and Information Technology. The story will be updated with their response.