Where Is the Data From? 5 Unanswered Questions as Govt Denies CoWIN Breach

Video Producer: Garima Sadhwani

Video Editor: Puneet Bhatia

The central government on Monday evening, 12 June, denied reports of an alleged breach of citizens' data who had registered on the CoWIN portal to get vaccinated against COVID-19.

Earlier that day, news outlets Manorama and The Fourth News were the first to report that a Telegram bot called ‘Truecaller’ run by ‘hak4learn’ was uploading sensitive information of individuals on simply inputting either their phone or Aadhaar numbers.

But several questions remain.

The Telegram bot was generating sensitive information such as:

• Phone numbers

• Gender

• Aadhaar/Passport number

• Date of birth

• Location where the doses were administered

• Details of everyone who booked appointments through a single number

If the government is claiming that the data collected through the CoWIN vaccination portal is secure, where did these data sets come from?

Union Minister of State for Information Technology Rajeev Chandrasekhar took to Twitter to say that CoWIN data is safe, but the data that has been accessed by the bot seems to be previously stolen data.

Let's simplify this a little. Imagine Person A registered themselves on CoWIN to get vaccinated and entered their Aadhaar and phone number on the website. Person A also gave access to this same information to some other entity for XYZ reason.

What Chandrasekhar is saying is that the details uploaded on CoWIN are absolutely safe. But that the data has been stolen from somewhere else in the past. That would have made sense if not for details like the location where the doses were administered and how many people booked the appointments together, being given out by the bot as well.

Yes, Person A may have uploaded their phone number, date of birth, etc on multiple websites for multiple reasons, where this could easily have been stolen from. But they wouldn't have uploaded the more specific details such as who all in their family registered on CoWIN from the same number and where they got vaccinated.

In 2021, the government had allowed the integration of third-party apps and services with CoWIN for purposes such as vaccine registrations, booking appointments, and even the downloading of vaccine certificates. Is it possible that the data was allegedly leaked as a result of these third-party platforms being compromised? On the other hand, if CoWIN data was allegedly breached, could other data stored on these third-party platforms also be at risk?

In its statement released on Monday, the Centre said that the following security measures have been put in place for the protection of CoWIN data.

• Web Application Firewall

• Anti-DDoS

• SSL/TLS

• Regular vulnerability assessment

• Identity & Access Management

• OTP authentication

The Centre has also stated that the only parties that can access CoWIN data are the beneficiary, the CoWIN authorised user, and the third-party applications linked with the government.

The bot was created on 1 June, and was deleted in the early hours of 12 June, after media reports about it surfaced. Meanwhile, the government's statement says that individual-level vaccinated beneficiary data access is available at the following three levels:

Beneficiary dashboard: "The person who has been vaccinated can have an access to the Co-WIN data through use of registered Mobile number with OTP authentication."

CoWIN authorised user: "The vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries. But the COWIN system tracks & keeps record of each time an authorized user accesses the COWIN system."

API-based access: "The third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication."

"The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP," read a press release by the Union Ministry of Health and Family Welfare (MoHFW).

The ministry further said that APIs have been shared with third parties such as ICMR for data-sharing purposes.

"It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application," the ministry added.

But this has only raised further questions such as which is the entity that has been "white-listed"? How does the CoWIN API only accept requests from this "very specific" and "trusted API"?

An alleged data breach of this scale and with this amount of sensitive information is a cause of concern.

Srikanth had told FIT:

But the bigger issue here is that the datasets of minors too have been breached. Srikanth said that he accessed the bot after news reports surfaced about the breach. Using publicly available Aadhaar card numbers, he said that he was able to access the private data of a minor who had died by suicide in Tamil Nadu.

FIT has reached out to the Health Ministry and the Ministry of Electronics and Information Technology. The report will be updated with their statement, if and when they respond.