CoWIN data ‘leak’ Why the govt statement raises more questions
Current situation:
- The Indian Computer Emergency Response Team (CERT-In), the nodal cyber security organisation, reviewed the alleged breach and determined that the CoWIN portal was not “directly breached” in response to reports that CoWIN data had been accessed by a Telegram bot, according to Minister of State for Electronics and IT Rajeev Chandrasekhar.
- According to the minister, an automated Telegram account was allegedly distributing data, including users’ Aadhaar and passport details, using previously compromised databases.
The response of the central government:
- The three options to acquire CoWIN data are originally described in the Ministry of Health press release:
- A one-time password (OTP) delivered to the user’s mobile number allows access to their data on the site.
- The CoWIN system tracks and logs each time a “authorised” user visits the system, and a vaccine provider can access a person’s data.
- After OTP authentication, third-party applications with allowed access to CoWIN APIs can access the personal level data of immunised individuals.
- Then it asserts that data cannot be communicated with the Telegram bot without an OTP. However, the Ministry stated that CoWIN only collects a person’s year of birth and that there is no option to capture a person’s address on CoWIN. Some sources claimed that the bot also displayed people’s dates of birth.
- According to the government, CERT-In examined the alleged breach and determined that the Telegram bot had obtained information from a “threat actor database.” The compromised data, which was unrelated to CoWIN, “seems to have been populated with” the database.
- The CoWIN app or database does not appear to have been directly compromised, Chandrasekhar continued.
Was there a breach, though?
- The Ministry has not made it clear whether the CoWIN database has lately or in the past been compromised.
- Its entire justification rests on the fact that CoWIN’s system can only be accessed via an OTP or a vaccinator whose access is recorded.
- Although the Ministry claimed to have sufficient security procedures in place to safeguard CoWIN’s database, it has never claimed that the database has not been impacted.
- The only remaining possibility is that the Telegram bot wasn’t instantly grabbing data from CoWIN.
- The Ministry’s statement also provides no evidence to refute claims that the Telegram bot was able to precisely retrieve citizens’ data associated with a specific phone number or explain why the details provided by the bot, such as the location of a vaccination or the ID that was used, were unique to the CoWIN database.
- In addition, CERT-In has not yet provided the Ministry with a final report on the incident. It would therefore be premature to rule out a breach until CERT-In makes that clear in its report.
- If one were to accept the government’s second justification, which holds that the database the Telegram bot was utilising had been created using data from earlier breaches, it too raises some red flags.
Conclusion:
- CERT-In has been requested by the Health Ministry to investigate this matter and produce a final report.
- The government also announced that the National Data Governance policy, which will establish a uniform framework for data storage, access, and security standards throughout the entire government, has been finalised.