CoWIN data leak: The government contradicts itself on data breach

The private information of crores of citizens who had enrolled on the Co-WIN website and app for their COVID-19 vaccination has reportedly been leaked by private players using a Telegram bot in a major data breach. The Minister of State for Electronics and IT Rajeev Chandrasekhar claimed that the CoWIN portal was not “directly breached” and was “previously breached”.

The minister stated that the Telegram bot seems to have been populated with “previously breached data” as it does not appear that the CoWIN app or database has been directly breached. However, this contradicts what CoWIN chief executive RS Sharma has reiterated in both 2021, when the news of the first data breach of the CoWIN website was reported, and in 2022.

A Telegram bot has been giving away the details of individuals who registered for COVID-19 vaccinations including their names, date of birth, phone numbers and other details provided at the time of registration, such as passport or Aadhaar numbers among others. These details could be accessed even if the Aadhaar number was entered instead of the phone number. This was first reported by the Malayalam news website The Fourth News.

In 2021, when reports emerged that the CoWIN portal got hacked, and resulted in the sale of the database of 15 crore people, the union government had dismissed these reports. RS Sharma had stated that “the claims of so-called hackers on the dark web, relating to the alleged hacking of the Co-WIN system and data leak, is baseless". He heads the CoWIN portal, and is also the Chairman of the Empowered Group on Vaccine Administration (EGVAC).

In June 2021, the government said in a statement, “There have been some unfounded media reports of the CoWIN platform being hacked. Prima facie, these reports appear to be fake. However, the Health Ministry and the EGVAC are getting the matter investigated by the Computer Emergency Response Team of MietY.”

Then in 2022, Sharma reiterated that CoWin had state-of-the-art security infrastructure and has never faced a security breach. “Data of our citizens on CoWIN is absolutely safe and secure. Any news about data leaks from CoWIN holds no merit,” he asserted.

In the latest statement, the ministry has not clarified whether or not the COWIN database was breached recently or in the past. The health ministry has been asserting that the database cannot be hacked as the only way to access COWIN system is only through an OTP. The ministry also said that the website has adequate security measures to safeguard the data.

Questioning the ministry, Apar Gupta of the Internet Freedom Foundation wanted to know what the minister’s statement "seems to have been populated with previously breached/stolen data” meant. He pointed out that this indicated that there has been a data breach in the past. “Has there been any investigation from which entities/persons this was breached? What date was it breached?”

Gupta wanted the minister to provide a basis the finding that the CoWIN app or database had been directly breached. “Is this the basis of an investigation by MEITY or Ministry of Health and Family Welfare that runs CoWin? Will the technical findings be made public when finalised to increase citizen trust and place accountability?” asked Gupta.

The Software Freedom Law Centre, an organisation defending digital freedoms, said this leak raises continuing issues, such as the lack of effective data security measures, inadequate user authentication process in the system, and the insufficient privacy terms of the CoWIN app.

The organisation highlighted that it had written to Prime Minister’s Office, Ministry of Health and Family Welfare and National Health Authority in 2021 several times regarding the problems related to COWIN. It had highlighted that several people have raised concerns that they received vaccination certificate – without getting any of the doses or after getting first dose but not the second dose.

There have been instances where people have received incorrect certificates with their names spelled incorrectly, different names or different date of birth, SFLC had stated in their letter. They had also filed an intervention application in the Supreme Court in suo motu case Re Distribution of essential supplies and services during pandemic.

SFLC had highlighted the technical glitches faced by people including the issues related to the OTPs and incorrect registrations. The CoWIN portal has failed to address the basic task of processing registrations correctly. There have been innumerable reports of citizens facing hardship because of incorrect registration or a false allocation or mismatch of phone numbers. 

The ministry has asked the Indian Computer Emergency Response Team (CERT-In) to submit a final report. This was the organisation which had reviewed the breach and found that the COWIN app and website had not been “directly breached”.

Security breach

The secretary of the Union Health Ministry Rajesh Bhushan, Union Minister of State Meenakshi Lekhi, Congress leaders KC Venugopal, Jairam Ramesh and P Chidambaram and TMC leader Derek O’Brien were among those whose details were leaked. When Bhushan's number was entered, details including the final four letters of the Aadhaar number and date of birth were revealed along with personal details of his wife Ritu Khanduri, the MLA from Uttarakhand’s Kotdwar.

Details of several politicians cutting across parties such as TRS leader Kalvakuntla Taraka Rama Rao, DMK MP Kanimozhi Karunanidhi, BJP Tamil Nadu President K Annamalai, Congress MP Karti Chidambaram and former health minister Harsh Vardhan of the BJP had also been leaked through this Telegram bot.