CoWIN Privacy Breach: Telegram Bot Leaks Data Of Those Vaccinated, Govt To Probe

In a major data breach, private information of lakhs who registered on the CoWIN portal has been leaked.

4 min read

In a major data breach, private information of thousands of Indian citizens – including politicians and celebrities – has been leaked after a Telegram bot uploaded the data of people who had registered on the CoWIN application to get their COVID-19 vaccination shots. 

The data leaked includes the names, date of birth, gender, phone number, Aadhaar details, passport details, location where the first dose was administered, reported The Fourth News and Manorama.

However, the Government of India released a statement on Monday, 12 June, saying,

"Co-WIN portal of Health Ministry is completely safe with safeguards for data privacy. All reports of data breach are without any basis and mischievous in nature. Health Ministry has requested CERT-In to look into this issue & submit a report."
The leaked dataset has also revealed private information about senior politicians, including former union Health Minister Harsh Vardhan, Kerala’s Health Minister Veena George, union minister Meenakshi Lekhi, Congress leaders KC Venugopal and Karti Chidambaram, and Bharatiya Janata Party’s Tamil Nadu President K Annamalai. 

The Telegram bot called ‘Truecaller’, was created on 1 June, and was being run by an account called ‘hak4learn’. It was deleted in the early hours of Monday, 12 June. However, FIT found that the bot became active again at about 12:30 pm, but was not returning any results.

The bot asked users to input either an individual’s phone number or their Aadhar number, following which their private information was sent ahead. 

Why It’s A Cause of Concern- The Big Points

“There are very high chances of at least more than one copy of this database being available, which means that anyone with the database access can do a reverse query based on mobile number.”
Srikanth L, Digital Identities Expert

There are multiple reasons why this data breach is a cause of concern.

DoB Linked to Other Sensitive Information

The bot gives you the date of birth of individuals too which is linked to several other sensitive and private information.

Srikanth L, a digital identity expert from a consumer awareness collective, while speaking to FIT, said,

"What is unique to this data breach is that the date of birth has been leaked too which is not just linked to your phone number, Voter IDs, passport, but also your mutual funds account, your insurance policy, your other accounts, and is often used to reset passwords as well. And date of birth is very critical from a security standpoint which is now compromised."

The Scale Of Breach

The scale of this breach is huge too. If registrations/appointments were made for multiple people using one mobile number, the bot gives you the details of all of those individuals. “Along with your personal data, the data of individuals in your family is also compromised. It’s a single database which has billions of records," says Srikanth.

Data Of Minors Also Leaked

It gives you the data of minors too. Srikanth, who had access to the bot after the breach was first reported by The Fourth News, also tried using some publicly available Aadhar card numbers like that of a minor victim, and some other fraudulent Aadhar cards of non-existent people. He told FIT

"I used the publicly available Aadhar card number of a minor who had died by suicide. The existence of her details showed that this bot has data till at least January 2022 when the vaccination for people under 18 began. And India had already crossed the one billion vaccination mark before that."

Srikanth also mentioned how the ‘digital-first’ vaccination drive essentially enabled centralised data collection by the government fully ignoring privacy concerns which other countries gave due importance to, providing paper based vaccination certificates.

What This Means For Public Health

Dr Anant Bhan, a public health expert, said to FIT, "This is a worrying incident and reinforces the importance of care and due diligence in dealing with privacy of health data and ensuring it is kept confidential."

Dr Bhan is a little concerned that an incident of such a scale might lead to "trust breakdown" among the general public. This could lead to an increased reluctance to share health data or to participate in public health initiatives.

He adds,

"As increasingly health is being digitised, and also the number of stakeholders with the potential to access this data (and with an interest in it) grows, we will need to be careful and cognisant of these risks and recognise that breaches will impact trust in public health. There are risks which need to be anticipated and mitigation and minimisation needs to be prioritised."

NHA Chairman Denies Breach

Ram Sewak Sharma, Chairman of the CoWIN high power panel and CEO of the  National Health Authority, told The News Minute

“How can there be a breach of data? Give me the proof, because when you enter a phone number, the One Time Password (OTP) comes only to that phone number. It is not possible for anyone to access others’ details.”

In January last year too, Sharma had claimed that CoWIN had “state-of-the-art security infrastructure and has never faced a security breach.”

Even Rajeev Chandrasekhar, Union Minister of State for Entrepreneurship, Skill Development, Electronics & Technology, took to Twitter to deny these allegations.

Questions To Be Raised

  • Who all have access to this database now?

  • In what ways can this data be misused?

  • Will this impact the other ‘Digital First’ initiatives the government has been taking?

  • Who will take responsibility?

FIT has reached out to the Health Ministry and the Ministry of Electronics and Information Technology. The story will be updated with their response. 

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
Read More