A man has been arrested by the Delhi Police on Thursday, 22 June, in connection with the alleged data breach of the CoWIN vaccination portal.
In particular: The accused was apprehended from his home in Bihar by the police's special cell, according to a report by The Indian Express.
Police claimed that the accused is the creator of the Telegram bot through which sensitive, health details of several Indians were being leaked.
They said that he is the son of a healthcare worker, who is also being interrogated.
A juvenile linked to the case has also been nabbed, the report added.
Zeroing in: The Delhi Police requested Telegram to share data about the bot as well as its creator, as part of its joint probe with the Indian Computer Emergency Response Team (CERT-In).
"We suspect he [the accused] took his mother’s help to breach the system. He created a bot and shared it on Telegram. We know he was not selling the data to anyone in particular," an unnamed police official was quoted as saying in the report.
"He tried hacking the system and was successful. When he realised he could put all the data online, he did. We don’t think he had any other ulterior motives," the official further claimed.
Why it matters: The Delhi Police official's remarks on the investigation appear to contradict the statement of Union Minister of State for IT Rajeev Chandrasekhar, who had denied that the CoWIN portal was "directly" attacked. It also raises questions about the involvement of the Delhi Police Special Cell in the investigation, given that data of citizens across India may have been exposed in the alleged breach.
Long story short: On 12 June, The Fourth News and Manorama first reported that a bot on Telegram was leaking the data of Indian citizens who had registered on the CoWIN portal to get their COVID-19 vaccination shots.
Inputting any vaccine beneficiary's mobile number or Aadhaar number would reportedly prompt the bot to respond with the leaked CoWIN data.
This data included the beneficiary's name, date of birth, gender, phone number, Aadhaar details, passport details, location where the first dose was administered
It would also generate the data of other beneficiaries that had registered on CoWIN using the same mobile number.
When prompted, the bot reportedly provided the sensitive data of former Union Health Minister Harsh Vardhan, Kerala’s Health Minister Veena George, Union Minister Meenakshi Lekhi, Congress leaders KC Venugopal and Karti Chidambaram, and Bharatiya Janata Party (BJP) Tamil Nadu president K Annamalai.
Of note: The bot was also able to throw up personal details of Dr RS Sharma, who oversaw the rollout of the CoWIN portal.
Between the lines: At first, the Union Ministry of Health and Family Welfare dismissed reports of the alleged breach as "without any basis and mischievous in nature."
Yes, but: On the same day, Minister of State for IT Rajeev Chandrasekhar tweeted, "It does not appear that Cowin app or database has been directly breached."
The evasive statements put out by the Centre in the wake of the breach left many questions unanswered such as – how does the leaked database have data that is unique to CoWIN? What was the scale of the breach and point of vulnerability? Is it possible that the data was leaked as a result of third-party platforms being compromised? Does the leaked database also contain details of minors?
Some perspective: "The CoWIN incident shows yet again, how the software development models that are used in building these systems are failing us," tech researcher Srinivas Kodali wrote for The Quint.
Meanwhile, Shweta Mohandas and Pallavi Bedi of Centre for Internet and Society (CIS), said:
"The threats posed as a result of this data being leaked are not limited to spam messages or fraud and impersonation, but also of companies that can get a hand on this coveted data and gather insights and train their systems and algorithms, without the need to seek consent from anyone, or without facing the consequences of harm caused."
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)