Active Stocks
Fri Dec 01 2023 15:59:55
  1. Tata Steel share price
  2. 129.95 1.56%
  1. Reliance Industries share price
  2. 2,393.45 0.72%
  1. NTPC share price
  2. 269.05 2.97%
  1. ICICI Bank share price
  2. 946.35 1.19%
  1. HDFC Bank share price
  2. 1,555.5 -0.22%
Business News/ News / India/  Govt probes CoWin data breach claims
Back Back

Govt probes CoWin data breach claims

Centre claims portal is safe, with enough data privacy protection

The government said the CoWin website, a repository of all data of those who have been vaccinated against covid-19, maintains strong data privacy safeguardsPremium
The government said the CoWin website, a repository of all data of those who have been vaccinated against covid-19, maintains strong data privacy safeguards

The government launched an investigation into a data breach after personal data of vaccinated citizens, including VVIPs, from the CoWin website was allegedly leaked via a Telegram messenger channel.

The government said the CoWin website, a repository of all data of those who have been vaccinated against covid-19, maintains strong data privacy safeguards. The health ministry stated that social-media reports claiming individuals’ data can be accessed from a Telegram bot bypassing the mobile number or Aadhaar number “are without any basis and mischievous in nature".

Graphic: Mint
View Full Image
Graphic: Mint

The health ministry said the CoWin website was completely safe, with adequate safeguards for data privacy. The ministry of electronics and information technology requested the Indian Computer Emergency Response Team (CERT-In), the agency that coordinates the efforts on cyber security matters, to look into this issue and submit a report, in addition to internally reviewing the existing security measures of CoWin.

Minister of state for electronics and information technology Rajeev Chandrasekhar said in a tweet that the data being accessed by the bot seems to have been populated with previously stolen data from databases other than CoWin. He added that the government was reviewing the existing security systems of the CoWin portal. “It does not appear that the CoWin app or database has been directly breached," he said. Chandrasekhar said CERT-In, under his ministry that looks into instances of data breaches, immediately responded to the allegations of a data breach.

The data breach claim has come as a major jolt to the government, which has been taking steps to digitize the economy and has built digital public infrastructure (DPI) based on the biometric identification number Aadhaar, individuals’ mobile numbers, and bank accounts as the backbone for the transfer of benefits and innovation in the private sector.

A leak of personal information from the CoWin platform would mean weakness in this digital public infrastructure, which has been a pillar for both government’s delivery of public goods and for the private sector to innovate and offer services like payment facilities. India has been showcasing this system as a symbol of innovation, helping in digital and financial inclusion.

“DPIs are a force multiplier for a population that wants to progress and develop," Chandrasekhar said at the third G20 digital economic working group meeting in Pune on Monday while proposing that all countries could come together to design DPIs that can be used collectively by all people.

Experts said digitization and adoption of digital services for government data required higher levels of cyber security as more cases of data breaches have been coming to the fore in the past few years. In November 2022, a massive ransomware attack took place against the systems at the All India Institute of Medical Sciences (AIIMS), New Delhi. The attack severely hampered the hospital’s centralized medical records and disrupted services.

“In the government’s relentless drive to digitize the economy, the significance of cyber security and data protection has become paramount...With immense opportunities emerging from a digitized economy, the spectre of cybercrime looms large, making the fortification of our virtual ramparts an absolute necessity," said Shashank Shekhar, the founder of Future Crime Research Foundation (FCRF), an IIT Kanpur incubated think tank.

“Governments must invest in cutting-edge defence mechanisms, enact stringent legislation, and foster cross-sector collaboration to counter evolving threats," Shekhar said.

CERT-In, in its initial report, has pointed out that the back-end database for the Telegram bot was not directly accessing the APIs of the CoWin database.

In January 2021, the central government launched the CoWin portal as the digital platform to capture covid-19 vaccination programme details. It is owned and managed by the Union health ministry.

As of date, the CoWin dashboard shows that 1.11 billion individuals have registered on the portal. Since the start of the vaccination programme, nearly 2.21 billion doses have been administered so far.

The health ministry said that individual-level vaccinated beneficiary data access is available at three levels. These are through a registered mobile number with OTP authentication, CoWin authorized users with authentic login credentials, and application programming interface (API)-based access.

With regards to the Telegram bot, the health ministry said without OTP, vaccinated beneficiaries’ data could not be shared with any bot. “Only year of birth is captured for adult vaccination, but it seems that on media posts, it has been claimed that bot also mentioned the date of birth. There is no provision to capture the address of the beneficiary," the ministry said.

Meanwhile, the government said the development team of CoWin has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs that have been shared with third parties, such as the Indian Council of Medical Research (ICMR), for sharing data.

“It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific, and the requests are only accepted from a trusted API that has been white-listed by the CoWin application," the health ministry said.

CERT-In is expected to submit a report to the health ministry. In its initial report, the agency pointed out that the back-end database for the Telegram bot was not directly accessing the APIs of the CoWin database.

Queries sent to the spokespeople for the Prime Minister’s Office and the ministry of finance did not elicit any response.

Chandrasekhar said the National Data Governance Policy had been finalized that would create a common framework of data storage, access, and security standards across all of the government.

Gireesh Chandra Prasad contributed to this story.

Milestone Alert!
Livemint tops charts as the fastest growing news website in the world 🌏 Click here to know more.

Priyanka Sharma
Priyanka Shamra is a health and pharma journalist with nearly nine years of field reporting experience. She is a special correspondent with Mint. Her beat includes covering the Ministry of Health and Department of Pharmaceuticals. She also covers the Ministry of Women and Child Development and the Department of Biotechnology.
Catch all the Elections News, Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less
Updated: 13 Jun 2023, 12:27 AM IST
Next Story footLogo
Recommended For You
Switch to the Mint app for fast and personalized news - Get App