In a major data breach, personal details of those who registered on the CoWIN portal to get their coronavirus vaccines has allegedly been leaked on messaging platform Telegram, reported The News Minute on Monday.
A bot on a Telegram group was providing details like names, date of birth, phone number as well as passport or Aadhar number of individuals who registered for vaccinations on the government-run CoWIN portal.
The breach was first reported by The Fourth, a Malayalam news portal which accessed details of Kerala Health Minister Veena George, CoWIN high power panel Chairperson Ram Sewak Sharma, Congress General Secretary KC Venugopal and Union Minister Meenakhi Lekhi.
More than 110 crore persons have registered on the CoWIN app.
The data breach was confirmed by The News Minute, which got access to details of Lok Sabha MP Kanimozhi Karunanidhi, Telangana minister Kalvakuntla Taraka Rama Rao, Former Union minister Harsh Vardhan, Bharatiya Janata Party Tamil Nadu chief K Annamalai and Congress MP Karti Chidambaram through the bot on the Telegram group. All of them except Vardhan confirmed the veracity of the details the news portal got from the bot.
To access the details, one has to only provide the phone number or Aadhaar number of an individual registered with the CoWin app and the bot fetched the remaining details, according to The News Minute. The bot was taken down around 9 am on Monday, The News Minute reported.
The Union health ministry has asked the Indian Computer Emergency Response Team to look into the matter and submit a report. However, it said that the CoWIN portal is “completely safe” with safeguards in place for data privacy. It said that beneficiary data cannot be shared with any bot without a one-time password.
The health ministry said that reports claiming that there was a data breach from the CoWIN portal are “without any basis and mischievous in nature”.
Union Minister of State for Electronics and Information Technology Rajeev Chandrashekhar also said that it did not appear that the CoWIN database had been directly breached.
This is not the first time that such a breach has been reported. In June 2021, a hacker group named Dark Leak Market had claimed that it had access to the database of about 15 crore Indians who registered on the portal.
CoWIN high power panel Chairperson Ram Sewak Sharma, who is also the chief executive officer of the National Health Authority, had then refuted the claims, saying that the vaccination data is in “a safe and secure digital environment”.
Sharma again refuted the claims of data breach after The News Minute informed him about the Telegram bot.
“How can there be a breach of data?” he asked. “Give me the proof, because when you enter a phone number, the One Time Password comes only to that phone number. It is not possible for anyone to access others’ details.”
On Monday, Trinamool Congress spokesperson Saket Gokhale described the leak as a “matter of serious national concern”.
“Why is the Modi government including home ministry not aware of this leak and why haven’t Indians been informed about a data breach?” he asked in a series of tweets. “Who has the Modi government given access to sensitive personal data of Indians incl[uding] Aadhaar and Passport numbers which enabled this leak?”
Kazim Rizwi, the founding director of think tank The Dialogue, said that the data breach underlines the need for data protection regulation in the country. “There is less clarity regarding the key mechanisms and instruments the CoWIN ecosystem uses to [detect] such data breaches to take prompt action,” he said.