No leak of users' data from CoWIN portal, adequate safety measures in place: Govt

The personal information of every citizen, who used the app can be seen using a Telegram bot where you simply need to enter the phone number to see the details. (Image: Shutterstock)

The government on June 12 said that claims of data breach from the CoWIN portal are baseless and mischievous in nature.

"CoWIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, various security measures are in place on the CoWIN portal. Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal," said a press release.

In a tweet, Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said that the matter had been reviewed by nodal cybersecurity body CERT-IN. According to him, the data that was being accessed by the bot was from a threat actor database that was populated “with previously breached/stolen data from the past”. He maintained that it does not appear that the CoWIN app or database has been directly breached.

Regarding claims of a Telegram BOT accessing users’ personal data, the government clarified that without OTP vaccinated beneficiaries’ data cannot be shared with any BOT. “Only Year of Birth (YOB) is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also BOT mentioned the date of Birth (DOB),” the release said. There is no provision to capture the address of the beneficiary, it added.

The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application, the release said.

In addition, an internal exercise has been initiated to review the existing security measures of CoWIN. CERT-In in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database.

Earlier in the day, an official from MeiTY (Ministry of Electronics and Information Technology), has confirmed the alleged breach of data on the CoWIN platform and told Moneycontrol that a team from the CERT-IN (Indian Computer Emergency Response Team) has initiated an investigation into the matter.

The bot in question, which was publishing this information has been disabled, an official said.

S Gopalakrishnan, CEO of the National Health Authority refused to comment on a query from Moneycontrol in the matter.

First reported by the Malayalam Manorama newspaper, which independently verified the leak, the personal information of every citizen, who used the app can be seen using a Telegram bot where you simply need to enter the phone number to see the details.

Reportedly, the Secretary of the Union Health Ministry, Rajesh Bhushan was one of the victims, along with several prominent names such as CoWIN Chairman Ram Sewak Sharma, Kerala Health Minister Veena George, Congress General Secretary KC Venugopal, Union Minister of State Meenakshi Lekhi, journalists Rajdeep Sardesai and Barkha Dutt, and more.