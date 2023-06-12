While the govt has refuted these allegations, there are certain questions that still remain unanswered.
(Photo: Garima Sadhwani/The Quint)
The Central government on the evening of Monday, 12 June, denied reports of an alleged data breach of citizens who had registered on the CoWIN portal to get vaccinated against COVID-19.
News portals Manorama and The Fourth News had earlier in the day broken the news that a Telegram bot called ‘Truecaller’ run by ‘hak4learn’ was uploading sensitive information of individuals on simply inputting either their phone or Aadhaar number.
But several unanswered questions remain.
FIT had earlier reported that the bot was generating sensitive information such as:
Phone number
Gender
Aadhaar/Passport number
Date of birth
Location where the doses were administered
Details of everyone who booked appointments through a single number
If the government is claiming that data collected through CoWIN is secure, where did these data sets come from?
Rajeev Chandrasekhar, Union Minister of State for Entrepreneurship, Skill Development, Electronics & Technology, took to Twitter to say that CoWIN data is safe, but the data that has been accessed by the bot seems to be previously stolen data.
Let's simplify this a little. Imagine person A registered themselves on CoWIN to get vaccinated and entered their Aadhaar and phone number on the website. Person A also gave access to this same information to some other entity for XYZ reason.
What Chandrasekhar is saying is that the details uploaded on CoWIN are absolutely safe. But the data has been stolen from somewhere else in the past.
That would have made sense if not for details like the location where the doses were administered and how many people booked the appointments together.
In its statement released on Monday, the Centre has said that these are the security measures put in place for protection of data on CoWIN.
Web Application Firewall
Anti-DDoS
SSL/TLS
Regular vulnerability assessment
Identity & Access Management
OTP authentication
The Centre has also stated that only parties can access data on CoWIN- the beneficiary, the CoWIN authorised user, and the third party applications linked with the government.
The bot was created on 1 June and was deleted in the early hours of 12 June after media reports surfaced.
There's no clarity yet about how many people accessed the bot and the data in these 12 days.
While speaking to FIT, Srikanth L, a digital identity expert from a consumer awareness collective, said that while this data might perhaps be sold to companies, other copies of the dataset would exist too, which means that many people might get access to the private information of billions of people.
A data breach of this scale and with this amount of sensitive information is a cause of concern.
Srikanth had told FIT,
But the bigger issue here is that the datasets of minors too have been breached. Srikanth accessed the bot after news reports surfaced about the breach and using publicly available Aadhar card numbers, he was able to get the private data of a minor who had died by suicide in Tamil Nadu.
But apart from these basic questions, there are even bigger questions that remain unanswered as of now.
Since Aarogya Setu was linked to CoWIN too, does this breach mean all of the data collected through the application is compromised too?
If CoWIN was indeed an open source website, why was the breach not detected earlier?
CoWIN worked on the API model. Does that mean other platforms which worked on the same model, such as DigiLocker, PayTM, etc, could be compromised too?
FIT has reached out to the Health Ministry and the Ministry of Electronics and Information Technology. The story will be updated with their response.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)