No CoWIN data breach, portal is safe; CERT-In reviews matter

New Delhi: Amid reports of an alleged breach of data on the CoWIN platform, the government on Monday said reports claiming a breach of data of beneficiaries registered on the CoWIN platform were "mischievous" and "without any basis", and that the matter has been reviewed by the country's nodal cyber security agency CERT-In.

The clarification came after reports earlier in the day suggested CoWIN (Covid Vaccine Intelligence Network) data breach, which reportedly allowed access to certain personal information that an individual gave on the government’s portal for vaccination.

According to reports and posts circulating on social media, information including a person's phone number, gender, ID card information, date of birth, last four digits of Aadhaar, as well as the name of the centre where the vaccine was received were also leaked on the channel.

Union Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar asserted that the Indian Computer Emergency Response Team (CERT-In) immediately responded and it does not appear that Cowin app or database has been directly breached.

He said a Telegram Bot was throwing up Cowin app details upon entry of phone numbers. "The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from past. It does not appear that Cowin app or database has been directly breached," the minister said.

There are reports alleging the breach of data from the CoWIN portal, which is repository of all data of beneficiaries who have been vaccinated against COVID-19.

The Health Ministry said that security measures are in place on CoWIN portal with web application firewall, regular vulnerability assessment, and Identity and Access Management.

A statement released Health Ministry said that only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal.

"CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database," the statement said.

It said certain Twitter users have claimed the personal data of individuals who have been vaccinated is being accessed using a Telegram (online messenger application) Bot. It is reported that the bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary, the ministry said.

The CoWIN was developed and is owned and managed by the Ministry of Health and Family Welfare. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues.

Data access at three levels

At present, the statement said, individual-level vaccinated beneficiary data access is available at three levels.

The first is the beneficiary dashboard -- the person who has been vaccinated can have an access to the Co-WIN data through use of registered Mobile number with OTP authentication.

The second is CoWIN authorised user -- the vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries.

And, then there is API-based access -- the third party applications who have been provided authorised access of Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.

According to the statemnt, the COWIN system tracks and keeps record of each time an authorided user accesses the COWIN system. Without OTP, vaccinated beneficiaries’ data cannot be shared to any BOT.

"The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application," it said.

Inputs from PTI