A day after a major data breach involving the private information of citizens who had availed COVID-19 vaccination was reported in the media, the Union government has claimed that the data, which was being shared by a Telegram bot, seems to have been accessed from “previously breached/stolen data from the past.” At the same time, the government has also claimed that it does not appear that the CoWIN database or app itself has been “directly breached.” However, the Union Health Ministry has asked the Indian Computer Emergency Response Team (CERT-In) to look into the issue and submit a report. "In addition, an internal exercise has been initiated to review the existing security measures of CoWIN," a response from the Union Ministry of Health and Family Welfare said.
TNM reported on Monday, June 12, that a Telegram bot had been giving away the details of individuals who registered for COVID-19 vaccination including their names, date of birth, phone numbers and other details provided at the time of registration. The breached data includes passport and Aadhaar numbers. TNM entered the mobile numbers of various politicians including Telangana Minister KT Rama Rao, DMK MP Kanimozhi Karunanidhi, BJP Tamil Nadu president K Annamalai and many others, who confirmed that the passport numbers returned by the bot were indeed theirs. The story was first broken by Reshma Asokan, a reporter with The Fourth News, a Malayalam news portal.
On Monday afternoon, Union Minister of State for Electronics & Technology Rajeev Chandrasekhar acknowledged that a Telegram bot was returning people’s personal details from the CoWIN app upon entry of phone numbers. He said that the Indian Computer Emergency Response Team of the Union Ministry of Electronics & Information Technology had reviewed the data breach reported on social media, and said, “The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past.” He went on to claim that it did not appear that the CoWIN app or database had been “directly breached.”
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
— Rajeev Chandrasekhar (@Rajeev_GoI) June 12, 2023
A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
The data being accessed by bot from a threat actor database, which seems to…
Two years ago in June 2021, a hacker group named 'Dark Leak Market' claimed in a tweet that it had a database of about 15 crore Indians who registered themselves on the CoWIN portal. However, the Union government had dismissed concerns over these claims and media reports at the time. Dr RS Sharma, Chairman of the Empowered Group on Vaccine Administration (CoWIN), had claimed back then that "CoWIN stores all the vaccination data in a safe and secure digital environment. No CoWIN data is shared with any entity outside the CoWIN environment.” The Union government’s Arogya Setu mobile app under the Union Ministry of Health had stated that reports of the CoWIN platform being hacked, prima facie appear to be fake.
Reports of #CoWIN platform being hacked, prima facie appear to be fake.
— Aarogya Setu (@SetuAarogya) June 10, 2021
Out of abundant precaution, emergency response team of @GoI_MeitY is investigating the matter.
Data speculated to have been leaked such as geo-location of beneficiaries, is not even collected on Co-WIN.
Now, after the data breach brought to light by the Telegram bot, the Union government has claimed that the data shared by the bot is likely to have been from “previously breached/stolen data.” However, it is unclear which instance of past breach Rajeev Chandrasekhar is referring to, and where this data could’ve leaked from if not from the CoWIN database itself.
Technology journalist Aditi Agrawal pointed out that even if the bot had accessed data from a past breach unrelated to CoWIN, the CoWIN database itself must have been breached at least once, for the bot to throw up details specific to the CoWIN database. The other possibility, she pointed out, is if multiple major government databases were breached and many individuals’ details thus compromised were then linked back to their identities, to create a comprehensive multi-dimensional database comprising all of their personal data.
CoWin database was breached/leaked at least once, either recently or in the past. It is only then that such data linkage can happen.
— Aditi Agrawal (@Aditi_muses) June 12, 2023
The other scenario is that somehow all the related data fields were siloed in different databases but all these databases were separately
Rajeev Chandrasekhar also mentioned in his response that the National Data Governance Policy would create a common framework of data storage, access and security standards for all government entities.