Union minister Rajeev Chandrasekhar said that it does not appear that the CoWIN app or database was directly breached
The data being accessed by a Telegram bot from a threat actor database seems to have been populated with previously stolen data stolen, the minister said
Among other details that have allegedly been compromised are the phone number, date of birth, and the last four digits of the Aadhaar number of citizens, which are being circulated on some social media platforms
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
After reports of an alleged data breach on the CoWIN platform surfaced on Monday (June 12) morning, union minister Rajeev Chandrasekhar said that it does not appear that the CoWIN app or database has been directly breached.
“With reference to some alleged CoWIN data breaches reported on social media, the Indian Computer Emergency Response Team (Under Ministry of Electronics and Information Technology) has immediately responded and reviewed this,” the minister tweeted.
According to the minister, a Telegram Bot was throwing up CoWIN app details upon entry of phone numbers. However, the data being accessed by the bot from a threat actor database seems to have been populated with previously stolen data stolen, the minister added.
“It does not appear that the CoWIN app or database has been directly breached,” he said.
In a separate statement, the health ministry said that all such reports on CoWIN data breach are without any basis and mischievous in nature.
As per some media reports, data of citizens who have received Covid vaccination in the country has been breached. Among other details that have allegedly been compromised are the phone number, date of birth, and the last four digits of their Aadhaar number, which are also being circulated on some social media platforms.
CoWIN portal is a repository of all data of beneficiaries who have been vaccinated against Covid19.
It was alleged that using a Telegram BOT, the personal data of individuals who have been vaccinated is being accessed.
“CoWIN portal of the health ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on the CoWIN portal with web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment, identity and access management, etc. Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal,” the ministry said in a statement.
The ministry also added that the development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP.
“In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application,” the ministry added.
While the health ministry requested the Indian Computer Emergency Response Team to look into the matter and submit a report, an internal exercise has also been initiated to review the existing security measures of CoWIN.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
.svg){kind=logo}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.