In one of the largest data breaches in India, data of several Indians vaccinated against Covid-19 was leaked on a Telegram bot on Monday.

The leak was of data stored on the CoWIN portal, a government-funded online platform that was created to record personally identifiable information about those vaccinated against Covid-19.

This includes name, gender and birth details, as well as Aadhaar numbers, PAN cards, passport numbers, voter ids, and details of the vaccination centre in which a person was immunised. The data bot was offered by a Telegram channel called hak4learn, which frequently provides hacking tutorials. It has now been taken down.

The government has said reports of a data breach are “without any basis and mischievous in nature. The CoWIN portal is completely safe with adequate safeguards for data privacy”.

Union minister of state for electronics and information technology Rajeev Chandrasekhar said the data used by the bot seemed to be “populated with previously stolen data”, which seemed to suggest a data breach in the past.

While the Indian Computer Emergency Response Team is investigating the lead, a digital threat analysis company based in Bengaluru, CloudSek, in a statement said that its investigation shows that the hacker does not have access to the entire CoWIN portal or its backend data. Instead, the data, its chief executive officer Rahul Sasi told Scroll, has been compromised through the credentials of several health workers.

Back in 2021, when the CoWIN platform was launched, Anivar Aravind, a public interest technologist, had raised red flags. A year before, he had petitioned the Karnataka High court against the central government’s decision to make the Arogya Setu app mandatory for Covid-19 management and pointed out the risks of collecting personal information of people.

In this interview with Scroll, Aravind explains how such a data leak makes users vulnerable, and questions why the government has refused to take responsibility or fix accountability when it fails to protect citizens’ data. Excerpts:

Anivar Aravind.

How does the CoWIN data breach impact any of us?

The problem is that the level of awareness about all this is very low in india. There is so much potential for misuse.

One of the largest data breaches in the world was of Yahoo, when 3 billion email accounts and passwords were compromised in 2013. If an email or password is breached, you can still change the password or make a new email id.

But, remember, CoWIN is about multiple identity points that you cannot change. Here, the data leaked contains a person’s phone number, their Aadhaar number that cannot be changed, date-of-birth information and family details, which too cannot be altered. It can also potentially help anyone identify the area a person might be residing in by leaking information about the vaccination centre.

Recently, there have been several reports of people getting random scam calls on WhatsApp. How are scamsters getting these numbers? Such data leaks provide them that information.

Second, there are lots of social engineering scams going on – where a scamster manipulates or deceives the victim in order to gain control of their computer system or to steal their financial or personal information.

If someone wants to scam you, they now have more data points to sound credible and fool you. They have your date of birth, Aadhaar number and it is easier to make themselves sound authentic.

A scamster can use an Aadhaar number, photoshop it and use it to open a bank account, which is identity theft. Or they could use the information to convince you that they are calling from a bank and do financial transactions on your behalf, which are phishing attacks. There are several possibilities.

How exactly has the breach occurred?

It appears that the leaked data is not coming directly from the CoWIN server, but from a copied database linked with the Telegram bot.

This means that when you enter a phone number to access vaccination details, the bot is not going to the CoWIN server to retrieve information, it is coming from a database already leaked. This means that the data dump has been leaked at some point in the past.

With this bot, if you enter the mobile number, it displays the entire vaccination information (like name, Aadhaar number, vaccination date, place and date of birth). The bot access has been cut now, but the leaked data is still with the hacker. There is no way to retrieve that data. What is lost is lost.

Is there any idea of the amount of data leaked or when the data got stolen?

There is no clarity. The Union minister of state for information technology has said that the leak is related to a database stolen in the past and that data has been copied and is being leaked now.

We know that the data must have been stolen or breached after January 2022. That is when vaccination for children opened up. In the current leak, information about children is also available. This primarily means the data breach happened within a year and half.

There is no way to evaluate the size of the leak, but CoWIN has at least 110 crore registrations so far.

A boy gets a shot during a Covid-19 vaccination drive for children aged 12 to 14 inside a school in Ahmedabad, in March 2022. Credit: Amit Dave/Reuters.

There are other apps linked with CoWIN, the Arogya Setu, the DigiLocker, or the Ayushman Bharat Health Account. Is it possible the breach occurred from there?

We don’t know the source of the leak yet. There is an application programming interface, or API, called the Arogya Setu that allows downloading of vaccination certificates. But it asks for a one-time password consent to download the certificate. So the leak is not from that API.

When the government is using digital certification for vaccination and making it mandatory at multiple checkpoints, it is their primary responsibility to secure the data. The government wants us to believe that they will secure the data but they are not being able to do it.

The failure of state-controlled user data continues. They claim that they are building world-class digital public infrastructure. Even when they make these claims, there is a gap in privacy laws in India. There is no accountability.

What are current legal provisions for privacy and data leaks?

The data protection bill remains in draft stage. Every draft is more diluted than the previous one and gives more relaxation to the state. The state needs to gain the trust of users. And it is failing miserably there.

As a user or a beneficiary, how can one protect themselves?

Users were coerced by the government to give their Aadhaar numbers or other identity proofs for vaccination. What option did the user have? Either give data and get vaccinated, or don’t get vaccinated. That is no option at all.

A user has no way to ask the government about the compromised data and their rights. A user cannot ask the government whether they can get a new Aadhaar number if the present one has been leaked.

There is no solution for the compromised data.

In 2021, I had raised the question of user consent when it came to sharing vaccination details with third parties.

The government enrolled several people for a unique digital health account when they came for Covid-19 vaccination – without taking their consent. So now, there are also health ids in the names of people without their knowledge.

What is happening to that data, we don’t know.

Last year, there was a ransomware attack on the All India Institute of Medical Sciences, or AIIMS, Delhi. As the use of digital technology in the health sector grows, will we see more such breaches?

The problem is that the government is trying to project itself as a big player in digital technology. But it does not have the capacity or competence at this point of time to protect its own database. An Aadhaar leak is now an everyday story.

There is a lot of investment to grow digital platforms, provide them subsidies. But there is minimal fixing of accountability.

This is the biggest identity database leak I have ever seen. And still nobody is taking responsibility.

When the minister says CoWIN does not appear to be directly breached and this is a previously stolen database, what about the investigation of that old leak then?

If there is no protection provided to users, we will continue to see such data leaks.

When the data of a person, under care of the government, is breached, the government should give full disclosure and make the investigation public. If the institution is keeping it a secret, how will the public know?

Union minister of state for electronics and information technology Rajeev Chandrasekhar. Credit: PTI.

We keep hearing of ghost workers or beneficiaries of government schemes, who have stolen other’s Aadhaar data to get benefits. Will this large-scale leak be an indication of something similar?

It is about individual awareness really, how one can identify the threats. Having said that, not everyone has that learning curve. India is not a digitally literate country. It is not even a fully literate country (in terms of primary education). So the scams involving the poor and illiterate will be higher.

If someone threatens that the bank account will be shut if a particular procedure is not carried out and for that they ask for an OTP, then how many people will question such a caller? Very few.

Those kinds of scams will increase.

How are other countries handling such data leaks?

No government in a developed country would have survived a data leak on such a large scale. In India, everyone is still playing around it.

If, say, Facebook or Google suffer such a massive leak, how will the European Union react? The kind of fines they enforce is huge. The government in India is incapable of handling such major breaches.

This reporting was supported by a grant from the Thakur Family Foundation. Thakur Family Foundation has not exercised any editorial control over the contents of this article.