CoWin data leak: Aadhaar, PAN Card, and Passport details leaked on Telegram

Personal information of Indian citizens, uploaded on the Central government’s CoWIN portal so as to receive the COVID-19 vaccine shots, was leaked on the messaging platform Telegram for anyone to freely access. Exactly two years ago on 12 June 2021, the CEO of the National Health Authority RS Sharma had rubbished the claims of a data breach on the CoWIN website.

Details including Aadhar card number, PAN Card information, passport number, date of birth and location of vaccination and number of doses were also given as soon as a mobile number registered with the CoWIN portal was entered. These details could be accessed even if the Aadhaar number was entered instead of the phone number. This was first reported by the Malayalam news website The Fourth News.

If several people had registered using a single phone number on the CoWIN portal, details of all those people would also be shared as soon as the mobile number was put in.

The secretary of the Union Health Ministry Rajesh Bhushan, Union Minister of State Meenakshi Lekhi, Congress leaders KC Venugopal, Jairam Ramesh and P Chidambaram and TMC leader Derek O’Brien were among those whose details were leaked. When Bhushan's number was entered, details including the final four letters of the Aadhaar number and date of birth were revealed along with personal details of his wife Ritu Khanduri, the MLA from Uttarakhand’s Kotdwar.

Details of journalists such as journalists Rajdeep Sardesai of India Today and Barkha Dutt of Mojo Story were also leaked.

In 2021, when reports emerged that CoWIN portal got hacked, and resulted in the sale of the database of 15 crore people, the union government had dismissed these reports. A website called Data Leak Market claimed that it was selling a database for Covid-19 vaccination in India and it underscored that it did not originally leak the data and was merely reselling the data

Then, the CEO of National Health Authority RS Sharma had stated that “the claims of so-called hackers on the dark web, relating to the alleged hacking of the Co-WIN system and data leak, is baseless". He heads the CoWIN portal, and is also the Chairman of the Empowered Group on Vaccine Administration (EGVAC).

However, contrary to his claims, even his personal details were leaked on Telegram for all to access.

In June 2021, the government said in a statement, “There have been some unfounded media reports of the CoWIN platform being hacked. Prima facie, these reports appear to be fake. However, the Health Ministry and the EGVAC are getting the matter investigated by the Computer Emergency Response Team of MietY.”

Then in 2022, Sharma reiterated that CoWin had state-of-the-art security infrastructure and has never faced a security breach. “Data of our citizens on CoWIN is absolutely safe and secure. Any news about data leaks from CoWIN holds no merit,” he asserted.

During vaccination for Covid-19, it was compulsory to log into the CoWIN portal via the apps for booking vaccination slots.