Cybersecurity experts dispute CoWIN data breach reports, government claims platform is safe

On Monday, reports alleged a breach of data from the CoWIN portal of the Union Health Ministry, claiming that personal details of over 100 million users, including their names, Aadhaar numbers, and vaccination status, were exposed. It was reported that a Telegram bot was uploading sensitive information of individuals by simply putting in either their phone or Aadhaar numbers. The Union Health Ministry said on Monday that the reports about the breach were without basis and mischievous and that the platform is “completely safe”, a view supported by cybersecurity experts.

“I do not think all this data can be fetched from CoWIN as the platform does not directly collect and store this information,” says Amit Jaju, Senior Managing Director, Ankura Consulting Group (India). He adds, “There are places on the dark web where many times false data dumps are created to fraudulently earn money by fraudsters. Unless the authenticity of such breaches is not confirmed independently, we cannot rely on data available on the dark web.”

Following the reports, the Ministry of Health and Family Welfare clarified that the CoWIN portal is completely safe, with adequate safeguards for data privacy. Furthermore, security measures are in place on the CoWIN portal, including a Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity and Access Management, etc. Only OTP authentication-based access to data is provided. All necessary steps have been taken and are being taken to ensure the security of the data in the CoWIN portal. The platform was developed and is owned and managed by MoHFW. An Empowered Group on Vaccine Administration (EGVAC) was formed to steer the development of CoWIN and make decisions on policy issues.

While the government said the CoWIN portal was not “directly breached”, cybersecurity experts believe that as the data of users was available on a Telegram bot-run channel, it indicates that some form of breach had occurred. The latest tweet from the Minister indicated that it used some “previously stolen data”. The case remains that some kind of data breach has occurred within the databases.

While the direct breach hasn’t happened Akshara Bassi, Senior Research Analyst, Counterpoint Research, explains, “It is possible to fetch the data from CoWIN as the data can be accessed through APIs. Normally, the third-party APIs have to be given access and be approved by the data owing agency – in this case CoWIN, before any data sharing happens. Second, way to get this data is having access to the database where all the personal information is stored. Usually, if any unknown identity gets access to database without any permission the data is usually hacked.”