Video Producer: Garima Sadhwani
Video Editor: Puneet Bhatia
The central government on Monday evening, 12 June, denied reports of an alleged breach of citizens' data who had registered on the CoWIN portal to get vaccinated against COVID-19.
Earlier that day, news outlets Manorama and The Fourth News were the first to report that a Telegram bot called ‘Truecaller’ run by ‘hak4learn’ was uploading sensitive information of individuals on simply inputting either their phone or Aadhaar numbers.
"All such reports are without any basis and mischievous in nature. CoWIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal."Centre's statement in response to the alleged data breach
But several questions remain.
If There Was No Breach, Where Is the Data Coming From?
The Telegram bot was generating sensitive information such as:
Date of birth
Location where the doses were administered
Details of everyone who booked appointments through a single number
If the government is claiming that the data collected through the CoWIN vaccination portal is secure, where did these data sets come from?
If Data Is From Previous Breaches, How Does It Have Info Unique to CoWIN?
Union Minister of State for Information Technology Rajeev Chandrasekhar took to Twitter to say that CoWIN data is safe, but the data that has been accessed by the bot seems to be previously stolen data.
Let's simplify this a little. Imagine Person A registered themselves on CoWIN to get vaccinated and entered their Aadhaar and phone number on the website. Person A also gave access to this same information to some other entity for XYZ reason.
What Chandrasekhar is saying is that the details uploaded on CoWIN are absolutely safe. But that the data has been stolen from somewhere else in the past. That would have made sense if not for details like the location where the doses were administered and how many people booked the appointments together, being given out by the bot as well.
When you access the bot, the data that is given to you seems as if its source is CoWIN.
Yes, Person A may have uploaded their phone number, date of birth, etc on multiple websites for multiple reasons, where this could easily have been stolen from. But they wouldn't have uploaded the more specific details such as who all in their family registered on CoWIN from the same number and where they got vaccinated.
In 2021, the government had allowed the integration of third-party apps and services with CoWIN for purposes such as vaccine registrations, booking appointments, and even the downloading of vaccine certificates. Is it possible that the data was allegedly leaked as a result of these third-party platforms being compromised? On the other hand, if CoWIN data was allegedly breached, could other data stored on these third-party platforms also be at risk?
How Was This Data Leaked?
In its statement released on Monday, the Centre said that the following security measures have been put in place for the protection of CoWIN data.
Web Application Firewall
Regular vulnerability assessment
Identity & Access Management
The Centre has also stated that the only parties that can access CoWIN data are the beneficiary, the CoWIN authorised user, and the third-party applications linked with the government.
If all these measures are indeed in place, how was the data still leaked? What is the point of vulnerability and has it been patched? If the data is from a breach that happened in the past, why is it only surfacing now? Also, why are the threat actors giving it away for free? Was it previously available for purchase on hacker forums?
Who All Have Access To This Data Now?
The bot was created on 1 June, and was deleted in the early hours of 12 June, after media reports about it surfaced. Meanwhile, the government's statement says that individual-level vaccinated beneficiary data access is available at the following three levels:
Beneficiary dashboard: "The person who has been vaccinated can have an access to the Co-WIN data through use of registered Mobile number with OTP authentication."
CoWIN authorised user: "The vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries. But the COWIN system tracks & keeps record of each time an authorized user accesses the COWIN system."
API-based access: "The third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication."
While speaking to FIT, Srikanth L, a digital identity expert from a consumer awareness collective, said that while this data might perhaps be sold to companies, other copies of the dataset could exist as well.
"The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP," read a press release by the Union Ministry of Health and Family Welfare (MoHFW).
The ministry further said that APIs have been shared with third parties such as ICMR for data-sharing purposes.
"It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application," the ministry added.
But this has only raised further questions such as which is the entity that has been "white-listed"? How does the CoWIN API only accept requests from this "very specific" and "trusted API"?
How Can This Data Be Misused?
An alleged data breach of this scale and with this amount of sensitive information is a cause of concern.
Srikanth had told FIT:
"What is unique to this data breach is that the date of birth has been leaked too which is not just linked to your phone number, Voter IDs, passport, but also your mutual funds account, your insurance policy, your other accounts, and is often used to reset passwords as well. And date of birth is very critical from a security standpoint which is now compromised."
But the bigger issue here is that the datasets of minors too have been breached. Srikanth said that he accessed the bot after news reports surfaced about the breach. Using publicly available Aadhaar card numbers, he said that he was able to access the private data of a minor who had died by suicide in Tamil Nadu.
The fear now is how this data, especially of minors, might be misused.
FIT has reached out to the Health Ministry and the Ministry of Electronics and Information Technology. The report will be updated with their statement, if and when they respond.