New Delhi: Two days after the Malayala Manorama reported that CoWIN data had been made available to everyone on a Telegram channel, there has been little by way of government action except for denials and the note that the private information database had come from “previously stolen data“.The Computer Emergency Team (CERT-in) has not released an update on its assessment of the leak yet, nor has it issued advisory on how impacted people should act to secure themselves.The Hindu has reported, quoting a senior police official, that no first information reports have been filed on the leak yet.The report also noted that a report by a private cybersecurity firm CloudSEK highlighted that the data appears to have been not directly from CoWIN but “a health worker who had inadequately protected vaccination beneficiary data.”API?A report on Hindustan Times has a senior Union government official saying that the Union health ministry has also initiated an investigative exercise related to the CoWIN service which will throw up some clues in the “next couple of days.”The report also notes that HT was privy to “discussions at an associated Telegram group where the developer of the bot made certain claims about how they accessed personal data”. These discussions, if true, are contrary to the government’s immediate claims that CoWIN had not been hacked.There can be more sophisticated forms of hacking, including through architectural vulnerabilities in the application programming interface or API. Programmes exchange information with each other through APIs. An expert noted that an app or a service used by any one to update hospitals’ vaccine data can act as such a gateway.A person writing on the Telegram group HT saw said that they had once secured the credentials to such API authorised to draw data from CoWIN.Thus while drawing data in this manner does not promote the method to hacking, it does mean that the database is wholly or partially available for replication.This would also need less technical prowess than a full blown hacking.The data leak is risky for a number of reasons.A report on Business Standard points out that the stolen database is a “perfect recipe” for cybercrime like extortion calls, identity thefts, phishing attacks and other scams.Experts quoted in the piece say that the datasets provided in the Telegram channel ensure that anyone intending to engage in cybercrime has almost everything they need. People are also likely to use information of the nature that was made available to set passwords.The leaked data also offers opportunity for attackers to breach banking systems. Kumar Ritech, an expert quoted in the piece, says that with the data that has been leaked, “Cyber threat actors may also attempt more ‘brute force’ attacks by using combinations of first name, date of birth, etc.”Attacks involving phishing do not allow victims much recourse, Pankit Desai, another cybersecurity expert told Business Standard.Twitter user Anivar Aravind noted that Aadhaar numbers offer key opportunity to gangs to take over your identity through a phone number change, pointing to rackets that have spread to 16 states. In a thread, he compiled recent report of leaks from PM-Kisan, the Aadhaar-GST fake billing scam, and attackers using Aadhaar details to withdraw provident fund money.What happens with leaked/ stolen aadhaarIf any Aadhaar center operators are colluding gangs like this (remember 60k plus operator blacklisting by UIDAI in the past) only a phone number change is enough to take over your identityYou might own a shell company doing tax evasions https://t.co/Xo8D5lLUAT— 𝗔𝗻𝗶𝘃𝗮𝗿 𝗔𝗿𝗮𝘃𝗶𝗻𝗱 (@anivar) June 14, 2023In an opinion piece on Indian Express, Apar Gupta of the Internet Freedom Foundation, has highlighted that the government’s response has been “self serving” and largely relies on “blister to overcome a media maelstrom.”In his piece, Gupta points out that previous leaks including the 2022 Employees’ Provident Fund Organisation breach, successive RailYatri portal breaches since 2020 and the AIIMS ransomware attacks in 2022, were also greeted with silence and if there have been technical findings they have not been made public.Gupta notes the lack of legal accountability in the column, which results in key concerns on individual harm remaining unaddressed, along with the creation of regulatory frameworks.
