Major data breach: Info of Indians who took Covid vaccine made public by Telegram bot

The private information of the lakhs of citizens, who registered on the CoWIN app to get their COVID-19 vaccination, appears to have been leaked to private players in a major data breach. A Telegram bot has been giving away the details of individuals who registered for COVID-19 vaccinations including their names, date of birth, phone number and other details provided at the time of registration, such as passport or Aadhaar numbers among others. TNM used the bot and entered the mobile numbers of several politicians cutting across parties like Telangana's Minister of Information and Communication Technology Kalvakuntla Taraka Rama Rao (popularly known as KTR), DMK Member of Lok Sabha Kanimozhi Karunanidhi, BJP Tamil Nadu President K Annamalai, Congress Member of Lok Sabha Karti Chidambaram and Former Union Minister of Health Harsh Vardhan of the BJP. All of  them had given their passport numbers for booking vaccination slots. We further verified with all the politicians except Harsh Vardhan that their details including their passport numbers were authentic. Karnataka Chief Minister Siddaramaiah’s Chief Advisor KV Prabhakar had given his Aadhaar details for registration, and he confirmed that the last four digits were of his Aadhaar number.

Read: 60 crore emails and other personal data stolen and sold: Decoding Cyberabad data theft

The story was first broken by Reshma Asokan, a reporter with The Fourth News, a Malayalam news portal. The Fourth had entered details of  Ram Sewak Sharma, chairman of CoWin high power panel, Kerala Health Minister Veena George, Congress General Secretary KC Venugopal and Union Minister of State Meenakhi Lekhi and found their details.

When TNM reached out to RS Sharma, the Chief Executive Officer of the National Health Authority, who had vouched for CoWIN to be “safe and secure” in January last year, he refused the possibility of a breach. “How can there be a breach of data? Give me the proof, because when you enter a phone number, the One Time Password (OTP) comes only to that phone number. It is not possible for anyone to access others’ details,” he said when informed about the Telegram bot.

#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit.

— Dr. RS Sharma (@rssharma3) January 21, 2022

On June 12, a TNM reporter joined a Telegram channel named Hak*****.. Only those who join this channel can access details from the bot. The Telegram bot called truecaller***** allows two options- mobile number or Aadhaar. If the mobile number for example is in the system, then the details appear as the next message.

The bot also gave details of everyone who were registered for the vaccination using the same number. In Kanimozhi’s case, the passport number of her son too was available. A TNM journalist who had registered for three people’s vaccination under her CoWIN registration ID confirmed that the details given away by the bot were precise. The bot was taken down around 9.00 am.

Srikanth L, from Cashless Consumer, a consumer awareness collective said, “CoWin data leak appears to be the largest data breach and is a Digital Public Infrastructure disaster exposing date of birth and family relationship data of everyone who took a jab with-in the first billion doses.”

Citing that the bot is now exposing the date of birth of a large number of people, Srikanth added, “Financial regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) must issue guidelines to regulated entities like banks and mutual funds to avoid any sensitive operation using date of birth to prevent fraudsters from exploiting the common man.” However, it is to be noted that people who have not provided their date of birth at the time of registering on CoWIN, and had only opted to provide the year of their birth, have been assumed by the bot to have been born on January 1 of their respective birth year.

Initially the Telegram bot gave away the complete Aadhaar number of individuals but however, eventually only showed the last four digits. The immediate consequence of the Telegram bot is that those who have phone numbers of individuals can access their name, gender, ID data (passport number or Aadhaar ID), location of first dose of the COVID vaccine and date of birth (although that seems to be wrong in many instances). The larger implications are far more worrying, for it raises questions as to how much more data has been leaked, who has access to it, and how the data is being used.

This is however not the first time that such a leak has been reported.  In June 2021, a hacker group named 'Dark Leak Market' had claimed  that it had the database of about 15 crore Indians who registered themselves on the CoWIN portal.

At that time, Sharma had reacted saying, “We wish to state that CoWIN stores all the vaccination data in a safe and secure digital environment. No CoWIN data is shared with any entity outside the CoWIN environment. The data being claimed as having been leaked, such as the geo-location of beneficiaries, is not even collected at CoWIN."

Read this thread by TMC spokesperson Saket Gokhale who has accessed details of several politicians and journalists.

There are several Opposition leaders which include:

1. Rajya Sabha MP & TMC Leader Derek O'Brien

2. Former Union Minister P. Chidambaram

3. Congress leaders Jairam Ramesh & K.C. Venugopal@derekobrienmp @PChidambaram_IN @Jairam_Ramesh @kcvenugopalmp

(2/7) pic.twitter.com/JnD5EKhPBO

— Saket Gokhale (@SaketGokhale) June 12, 2023

On Monday afternoon, Union Minister of State for Electronics & Technology Rajeev Chandrasekhar acknowledged that a Telegram bot was returning people’s personal details from the CoWIN app upon entry of phone numbers. He said that the Indian Computer Emergency Response Team of the Union Ministry of Electronics & Information Technology had reviewed the data breach reported on social media, and said, “The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past.” He went on to claim that it did not appear that the CoWIN app or database had been “directly breached.”

With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this

✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers

✅The data being accessed by bot from a threat actor database, which seems to…

— Rajeev Chandrasekhar (@Rajeev_GoI) June 12, 2023

Responding to the minister's claim, technology journalist Aditi Agrawal pointed out that even if the bot had accessed data from a past breach unrelated to CoWIN, the CoWIN database itself must have been breached at least once, for the bot to throw up details specific to the CoWIN database. The other possibility, she pointed out, is if multiple major government databases were breached and many individuals’ details thus compromised were then linked back to their identities, to create a comprehensive multi-dimensional database comprising all of their personal data.

Point 2 is the most important one here.

The question is raises it that how was previously breached data (presumably non CoWin data) linked with details specific to CoWin database (like place of vaccination, ID used, people linked to the same number)?

That can only happen if https://t.co/YNXVPbRTFi

— Aditi Agrawal (@Aditi_muses) June 12, 2023

Read: Union govt claims Covid vaccination data breach is from previously stolen data