CoWin Data breach !!

A recent report has claimed that the personal data of every single Indian who got the COVID-19 vaccination is publicly available, who had signed up on CoWIN (Covid Vaccine Intelligence Network) portal - was shared by a bot account on Telegram. If the news has some truth then, one billion vaccinated Indians could be potentially affected. The personal data of every single Indian who got the COVID-19 vaccination is publicly available.

COWIN was developed and is owned & managed by Ministry of Home and Family Welfare, Govt. of India. The Indian government is investigating the reports that the personal information of people registered on the CoWIN portal, the country's Covid-19 vaccination tracking platform, has been leaked.

If the data breach is true, it would mean that this sensitive personal information could be in the hands of unauthorized individuals. This could lead to a number of problems, including identity theft, financial fraud, and even physical harm.

The report further allege that the leaked data includes Aadhaar, voter ID, passport numbers and cellphone numbers of politicians, bureaucrats, and others have been leaked on the social media platform Telegram, reported data-driven news portal South Asia Index in a series of tweets yesterday.

The government has denied the reports, saying that the CoWIN portal is "completely safe" and that only OTP authentication-based access to the data is provided.

In its statement, the Centre listed the security measures – "Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management," among other things. Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. The ministry has, however, denied the reports of the data leak. "There are no public (Co-WIN) APIs where data can be pulled without an OTP," the ministry stated.

Minister of State for IT, Rajeev Chandrasekhar has commented on the reports that Co-WIN data was leaked by a Telegram bot. He stated that the bot seemingly accessed data that was stolen from databases other than Co-WIN in the past. It does not appear that Co-WIN app or database has been directly breached.

The Telegram account, which has shared the personal details, has been inactive after the news got viral. The bot has apparently showed the name of the person, the government ID they used while getting the vaccination and where they got

their vaccination. It also has records of date of birth and passport numbers of those who updated CoWIN for foreign travel.

CoWIN is integrated with Aarogya Setu and UMANG Apps. UMANG (Unified Mobile Application for New-age Governance) provides a single platform for access to pan India e-Gov services ranging from Central to local government bodies. The news has raised concerns about the security of personal data in India.

Some people have praised the government for taking the matter seriously, while others have criticized the government for not doing enough to protect people's personal data. Experts have been advising, there are number of potential problems that could arise in the country , with the vision of the government to go everything digital.