Officials of the Indian Computer Emergency Response Team or CERT-In as it is commonly referred to on June 15 denied that the CoWIN portal was hacked and information stolen. Instead, they said that the data was collated from several sources.
CoWIN or Covid Vaccine Intelligence Network is a government portal for vaccinations against the COVID-19 disease that holds cross-referenced information on those who registered for the immunisation drive.
Appearing before the parliamentary standing committee on communication and IT, the CERT-In officials said they were probing the issue. Responding to a query from a member of an opposition party, a CERT-In official said that “CoWIN was a breach-proof portal”.
“The CERT-In officials said the enquiry is at a preliminary stage. They (officials) said that the leak of data didn’t happen from the CoWIN portal, saying the data which is being leaked by a bot is a collation of data bought from several sources,” the opposition lawmaker said, on condition of anonymity.
Also read: No leak of users' data from CoWIN portal, adequate safety measures in place: Govt
Terming the claim “unbelievable”, the committee member asked the government officials how bots on the messaging app Telegram got the vaccination details including the names of hospitals involved if the CoWIN portal wasn’t breached.
“The IT officials said that the CoWIN portal only worked via one-time password (OTP), but they failed to answer as to how the details of passports and vaccinations including hospital names were available online,” he added.
The meeting was attended by the secretary, additional secretary and three other officials including scientists from the Ministry Electronics and Information Technology.
Also read: CloudSEK report says hackers don’t have access to CoWin’s backend database
The member said CERT-In officials dodged the questions related to CoWIN, saying the investigation in the matter was at preliminary stage. “They said multiple APIs (application programming interfaces) have been granted access to the CoWIN portal,” he added.
The parliamentary committee met on June 15 to discuss citizens’ data security and privacy.
The health ministry has refuted the claims of data breach from the CoWIN portal as “baseless” and “mischievous in nature”.
"The CoWIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, various security measures are in place on the CoWIN portal. Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal," said a press release.
In a tweet, Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said that the matter had been reviewed by CERT-In, the nodal cybersecurity body.
Regarding claims of a Telegram bot accessing users’ personal data, the government clarified that without OTP, vaccinated beneficiaries’ data cannot be shared.
“Only year of birth is captured for adult vaccination but it seems that on media posts it has been claimed that bot also mentioned the date of birth,” the release said. There is no provision to capture the address of the beneficiary, it added.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
