The Indian government has swiftly responded to reports of an alleged data breach of the CoWIN database, which stores information of individuals registered for COVID-19 vaccinations. Following the emergence of an automated bot on Telegram that exposed personal details of CoWIN users, the government clarified that the data appeared to have been sourced from a different database containing previously stolen information. While the CoWIN app and database were not directly breached, the incident has raised concerns about data security and the protection of sensitive personal information.
Investigation and Response:
Hours after the reports surfaced, Minister of State for Electronics and Technology, Rajeev Chandrasekhar, confirmed that the Indian Computer Emergency Response Team (CERT-In) had initiated an investigation into the alleged breaches. It was discovered that a Telegram bot was sharing CoWIN app details upon entering a phone number. The bot was quickly taken down once it was discovered and reported by news outlets.
The government’s response indicated that the bot was accessing data from a separate threat actor database, suggesting that the information had been obtained from a previous breach. However, specific details about the previous breach, including its origin and disclosure, were not disclosed.
No Direct Breach of CoWIN:
Chandrasekhar clarified through a Twitter post that it did not appear that the CoWIN app or database had been directly breached. The government has not provided explicit details on how the CoWIN user details were available to the bot, especially since the CoWIN app and website were not directly affected. This raises questions regarding the possible security gaps or vulnerabilities in the system that allowed unauthorized access to user information.
CoWIN Data Access and Security Measures:
In a press release, the government outlined the levels of data access within the CoWIN platform. Access was available to the vaccine recipient, authorized vaccinators, and third-party applications that utilized API-based authentication via one-time password (OTP). The system logged each attempt made by authorized vaccinators to access the CoWIN platform, ensuring accountability.
The government emphasized that data from the CoWIN platform could not be shared with an automated bot without the vaccine recipient’s OTP. Furthermore, the system only recorded the year of birth for vaccination, contrary to claims on social media suggesting that the bot provided the exact date of birth. The CoWIN development team also confirmed that specific APIs were shared with trusted entities like the Indian Council for Medical Research (ICMR), but requests were only accepted from approved API whitelists.
Investigation and Future Measures:
To address the alleged breach, the Union Health Ministry has tasked CERT-In with conducting a comprehensive investigation and submitting a report on its findings. The government aims to identify any potential vulnerabilities in the CoWIN system and implement appropriate security measures to enhance data protection and prevent similar incidents in the future.
Conclusion:
The government’s swift response to the alleged breach of the CoWIN database highlights its commitment to ensuring data security and privacy for individuals registered on the platform. While the CoWIN app and database may not have been directly breached, the incident underscores the importance of continually strengthening security measures to safeguard sensitive personal information. As the investigation unfolds, it is expected that additional measures will be implemented to bolster the security of the CoWIN platform, providing users with increased confidence in the protection of their data.
