post-add

Health Ministry Denies Direct CoWIN Data Breach, Directs CERT-In To Probe

On Monday, The Union Health Ministry said that it has requested the Indian Computer Emergency Response Team (CERT-In) to look into the CoWIN data breach reported in the media and submit a report adding that an additional internal exercise has also been initiated to review the existing security measures of CoWIN.

The Health Ministry stated that the CERT-In in its initial report pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database.

Earlier in the day reports in the media claimed that a serious data breach of CoWIN data has occurred over the messaging application Telegram. The reports said that the data includes mobile numbers, Aadhaar numbers, Passport numbers, Voter IDs, and details of family members which have been leaked on the messaging application. 

As per the reports in the media, the details were accessed through a telegram bot that provides all the details once the mobile number or the Adhaar number is fed into the system

Denying these media reports, the Health Ministry said the development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data, the Ministry clarified. 

"It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application," the Health Ministry's statement read. 

The Union Health Ministry called the reports in the media "without any basis" and "mischievous" in nature, adding that the Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. 

Union Minister of State for Entrepreneurship, Skill Development, Electronics and Technology, Rajeev Chandrasekhar in a Twitter post said that CERT-IN has responded and reviewed the data breach. In a Twitter, post-Chandrasekhar agreed that a Telegram bot was throwing up CoWIN details upon entry of phone numbers but said that the data breached is old and was stolen in the past.

He further said that CoWIN App or database has not been directly breached adding that the government has finalised the National Data Governance policy which will create a common framework of Data storage, Access and Security standards across all of government.

Pavan Choudary, Chairman, of the Medical Technology Association of India (MTaI) said, "Health data is the most monetizable data for hackers. However, the details which have been stolen (as per media reports), are not the ones that can be used to extort or coerce. Data regarding sexual and terminal diseases is what is used usually for coercive exploitation.”

Choudary further added, "That said, if this breach is real, it is an alarm bell which may augur the possibility of identity thefts. And the government needs to ringfence all the data reservoirs. The recent attacks on AIIMS, ICMR, and now Co-WIN App, make the passage of the Data Protection Bill becomes ever more urgent."

Also Read

Subscribe to our newsletter to get updates on our latest news