In a major data breach, information of lakhs of Indians who took COVID-19 vaccinations after registering on the CoWIN app seems to have been leaked on Monday.
A Telegram bot provided the name, date of birth, gender, phone number, passport or Aadhaar number, ID card used for vaccination, the vaccination centre’s name and the number of doses of a person registered with the app if his/her mobile number was entered, according to a story broken by Malayalam news portal The Fourth News.
The Fourth News found the details of CoWIN chairman RS Sharma, Kerala health minister Veena George, Congress general secretary KC Venugopal and Union minister of state for external affairs Meenakhi Lekhi using the bot.
Initially, the bot, taken down by 9 am, gave away the complete Aadhaar number but eventually showed only the last four digits.
The Aadhaar card, voter ID and PAN card numbers of lakhs of Indians were accessible to anyone on Telegram, The News Minute (TNM) reported.
Trinamool Congress (TMC) spokesperson Saket Gokhale tweeted that the details of several politicians and journalists were leaked: Rajya Sabha MP and TMC Leader Derek O’Brien, former Union minister P Chidambaram, Congress leaders Jairam Ramesh and Venugopal, Rajya Sabha deputy chairman HN Singh, Rajya Sabha MPs Sushmita Dev, Abhishek Manu Singhvi and Sanjay Raut, and journalists Rajdeep Sardesai (India Today), Barkha Dutt (Mojo Story), Dhanya Rajendran (TNM) and Rahul Shivshankar (Times Now).
Using the bot, TNM obtained the details of Telangana’s IT and communications ministry KTR Rao, DMK Lok Sabha member Kanimozhi Karunanidhi, BJP Tamil Nadu president K Annamalai, Congress Lok Sabha Karti Chidambaram and verified them. Karnataka chief minister Siddaramaiah’s chief adviser KV Prabhakar confirmed his Aadhaar number.
A TNM reporter joined a Telegram channel named Hak*****. on June 12—only users of these channel could access the details from the bot. The bot, called truecaller*****, allowed the option of either entering the mobile or Aadhaar number. If the mobile number is registered, the details appear as the next message.
“Financial regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) must issue guidelines to regulated entities like banks and mutual funds to avoid any sensitive operation using date of birth to prevent fraudsters from exploiting the common man,” he added.
However, Sharma, who had vouched for the safety and security of CoWIN in January 2022, refuted the breach. “How can there be a breach of data? Give me the proof. Because when you enter a phone number, the one-time password comes only to that phone number. It is not possible for anyone to access others’ details,” he told TNM.
When a hacker group called Dark Leak Market claimed to have hacked the details of 15 crore Indians on CoWIN in June 2021, Sharma had claimed that “CoWIN stores all the vaccination data in a safe and secure digital environment. No CoWIN data is shared with any entity outside the CoWIN environment. The data being claimed as having been leaked, such as the geo-location of beneficiaries, is not even collected at CoWIN.”
Portal Safe, CERT to Look Into CoWIN Data Breach Issue: Health Ministry
COWIN Data Breach
▶️ Co-WIN portal of @MoHFW_INDIA is completely safe with safeguards for Data Privacy
▶️ Only OTP authentication-based Access of Data is provided
Read here: https://t.co/YkERvWDMcg
— PIB India (@PIB_India) June 12, 2023
The Union Health Ministry on Monday said reports claiming breach of data of beneficiaries registered on the CoWIN platform were “without any basis”, and that it has requested the country’s nodal cyber security agency CERT-In to look into the issue and submit a report.
While asserting that the CoWIN portal is completely safe with adequate safeguards for data privacy, it said an internal exercise has been initiated to review the existing security measures of CoWIN.
There are reports alleging breach of data from the Co-WIN portal of the Union health Ministry, which is repository of all data of beneficiaries who have been vaccinated against COVID19, the health ministry said in a statement, according to PTI.
“It is clarified that all such reports are without any basis and mischievous in nature. Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy,” it said.
The ministry, however, said it has requested the Indian Computer Emergency Response Team (CERT-In) to look into the issue and submit a report.
Source- newsclick.in, 12 Jun 2023.