Government Says Co-WIN Data Leak on Telegram May Be From ‘Previously Stolen Data'

The leaked data was accessible through a Telegram bot. If the mobile number of a person was entered, details from identification documents submitted on Co-WIN, like Aadhaar, passport or PAN cards, were furnished immediately.

New Delhi: Personal details of citizens, uploaded onto the CoWIN portal through which the booking of COVID-19 vaccine shots had been facilitated by the government, were available on the Telegram app for all to access, the Malayala Manorama has reported.

The report on the newspaper’s English website notes that if the mobile number of a person was entered on Telegram, details from identification documents submitted on CoWIN, like Aadhaar, passport or PAN cards would be furnished immediately by a reply bot. Also in the reply would be the gender of the person, their date of birth and where they got their vaccine.

If someone entered a person’s Aadhaar number, the same details can be accessed. However, phone numbers offer details on more than one person as several people in a household may be registered under a particular number.

Reporter Jikku Varghese Jacob tweeted that the newspaper “confirmed this by giving the mobile number of the secretary of the Ministry of Health and Family Welfare.”

“We could see the details of him and his wife (she is an MLA). Both were registered on the same number,” he tweeted.

Jacob said that details of ministers and secretaries from various ministries were available. Those who had updated their date of birth and passport number for international travel also had these two details leaked.

“For others, there is birth year and a default value, ‘January 1’ (because birth year was only asked at first),” he wrote.

The Co-WIN portal opens to a user after they enter the one-time password or OTP it sends to their phone number. This is the system that is bypassed by the Telegram bot.

Journalists and opposition leaders are among those whose details have been leaked by the bot, the report says.

This bot was blocked as soon as the report emerged this morning.

Government denies ‘direct breach’

The Union government has denied that the Co-WIN app or database were “directly breached”, with the Union minister of state for electronics and technology Rajeev Chandrasekhar claiming that the data accessed by the bot is “from a threat actor database”, which seems to have been populated with “previously breached/stolen data stolen from past”.

He said in a tweet, that it “does not appear that Cowin app or database has been directly breached” and that a “National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”

The Union health ministry, however, claimed that the reports that individual data could be accessed by “simply passing the mobile number or Aadhaar number of a beneficiary” are “without any basis and mischievous in nature”. It said, “Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy.”

The statement claimed that the development team of Co-WIN has “confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application”.

The ministry has requested the Indian Computer Emergency Response Team (CERT-In) to “look into this issue and submit a report”, and an internal exercise has been initiated to review the existing security measures of the portal, the statement said.

CERT-In’s initial report has pointed out that the backend database for the Telegram bot “was not directly accessing the APIs” of the Co-WIN database.

In 2021 too, the Union government dismissed reports of Co-WIN being hacked. Mint had reported on how the Union health ministry, while dismissing hacking claims, said that the matter will be investigated by the CERT-In.

Questions about government’s response

Meanwhile, several questions have been raised with respect to the Union government’s response. Apar Gupta, the co-founder of the Internet Freedom Foundation, said if the data “seems to have been populated with previously breached/stolen data”, then that confirms that data was breached in the past. He asked if there has been any investigation into this matter.

“Secondly, when was the data breached?” he asked in a tweet. He also asked if MeitY or the health ministry did an investigation to conclude that the Co-WIN app database wasn’t breached.

Concerns were also raised on whether the Telegram bot was providing accurate responses to sensitive personal data of people vaccinated through Co-WIN.

Note: This article was originally published at 12:57 pm on June 12, 2023 and was republished at 7:05 pm on the same day to include the government’s response.