Govt relies on two probes to crack the CoWIN data ‘leak’

Officials in the Union health ministry are relying on two investigations to find more clues on how data purportedly from the CoWIN platform made its way into people’s hands via a Telegram account, even as experts said that there largely exist two ways in which it could have happened.

Also read: CoWIN ‘data leak’: How a bot reignited privacy fears

A senior central government official, who asked not to be named, said one of the exercises, initiated by the Union health ministry to review internal security protocols related to the CoWIN service, will likely throw up some clues in the next couple of days.

“The internal review is going on, and our estimate is that it would conclude in a couple of days. Thereafter we will tell you of the modifications or enhancements required to the CoWIN platform,” said this person, asking not to be named.

A second probe has been launched by the Indian Computer Emergency Response Team (Cert-IN). A second government official said this investigation is underway, and declined to give a timeline on when findings will be made known.

“Experts concerned are looking into it; and further course of action will be decided based on their recommendations,” added a third official.

Sensitive personal information, including identity document numbers such as those of Aadhaar and passports, was freely accessible for an unknown duration, reports and screenshots shared by those who found the illicit service on Monday showed. The disclosures prompted criticism from experts and Opposition leaders, even though the government denied a “direct breach” of the CoWIN database – from where the sensitive information had originated -- had taken place.

The sensitive data was shared by an automated Telegram account which has since been taken offline, and a Telegram “channel” that made it popular has now also been deleted.

HT was privy to the discussions at an associated Telegram group where the developer of the bot made certain claims about how they accessed the personal data, even though the government denied in an earlier statement that such ways were not possible.

Experts on Tuesday said the government’s response on Monday was rushed and such breaches are, in fact, possible due to flaws in system architecture or inadequate security.

The first way in which this can happen, and as admitted to by the unidentified developer although HT could not verify this person’s claims, is through architectural vulnerabilities in what is known as an application programming interface, or API.

An API is essentially a gateway for one programme to exchange information with another. “The government provides such gateways for legitimate access for a variety of reasons. For example, there could be an app or a service hospitals use to update vaccination details, or one that Asha workers use to register beneficiaries through their mobile phones,” said Anand V, a cybersecurity expert and scammers co-founder of DeepStrat.

There have been instances when attackers have “tailgated” APIs to access the same gateways illegitimately.

In this case, the unknown developer, who ran a programming hobby group called “hak4learn”, said during discussions in the Telegram group that he had indeed secured the credentials to one such API authorised to draw data from CoWIN for the bot. The bot was then able to pull names, birthdays and identity document details of a phone number it was fed.

Also read: Centre says CoWin portal completely safe, dubs reports of leak ‘mischievous’

In this method, the entire database has not technically been hacked but if all data from it can be retrieved using an API query, there is a hypothetical possibility that it may have, in part of wholly, been replicated, Anand added.

The second way, the cybersecurity researcher said, is if the entire CoWIN database had been hacked – a method that would require significantly more sophistication in skill and resources. “In that case, we would have likely seen plausible attempts to sell the database on the dark web or have gotten a tip-off from threat intelligence firms that monitor such sophisticated actors,” he added.

Officials in the Union ministry of electronics and technology did not respond to requests for more details on the issue.