CoWIN vaccine database in the eye of a leak storm

Sensitive personal information, including details of identity documents such as Aadhaar and passports, of those who took or signed up for Covid-19 vaccines was freely accessible for an unknown duration, according to reports and screenshots shared by those who found the illicit service on Monday, prompting criticism from experts and Opposition leaders even as the government denied a breach had taken place.

Also read: Centre says CoWin portal completely safe, dubs reports of leak ‘mischievous’

First reported by a Malayalam news website, The Fourth, the data leak was being enabled through an automated account on the messaging application Telegram. The account, technically a bot, responded with the name, date of birth, identity document type and number, and location of last vaccination linked with a mobile phone number sent to it.

“It is clarified that all such reports are without any basis and mischievous in nature. CoWIN portal of health ministry is completely safe with adequate safeguards for data privacy,” the Union health ministry, which maintains the service, said in a statement.

In a separate rebuttal in a tweet, Union minister of state for electronics and technology Rajeev Chandrasekhar said “it does not appear that CoWIN app or database has been directly breached”, and said that the data being accessed “seems to have been populated with data stolen previously”.

The incident is a reminder of how more needs to be done for data privacy of Indian citizens. Keeping aside the nature and scale of the data compromise, it must be remembered that India does not yet have legal protections in place for privacy, and there are no guardrails for those handling such information or accountability for those jeopardising such sensitive data. Until India brings in a robust, citizen-focussed data protection law, the threat of unmitigated harms such as hacking, identity theft and bank frauds remains high.

Screenshots, including those unredacted, seen by HT indicated that sensitive information was accessed. The Telegram bot was offered by an unknown developer or group of developers, which pulled down the service in the morning when the first new reports broke.

According to messages exchanged by the developer and a number of other users on a linked group chat, the developers said they found a circuitous and illicit route to secure a legitimate way to send queries to the CoWIN database that resulted in a successful response.

According to reports, the leaked data includes Aadhaar card numbers, along with gender, date of birth and vaccination centre of senior politicians such as Rajya Sabha MP and Trinamool Congress leader Derek O’Brien, former Union ministers P Chidambaram and Jairam Ramesh, and Congress leader KC Venugopal.

They also include details of health secretary Rajesh Bhushan, deputy chairman Rajya Sabha Haribansh Narayan Singh, Rajya Sabha MPs Sushmita Dev, Abhishek Singhvi, and Sanjay Raut, Tranimool’s Saket Gokhale said with redacted screenshots.

The Union health ministry has asked the Indian Computer Emergency Response Team (CERT-In) to look into the reports of the data breach issue and submit a report, according to a statement.

“The ministry has also initiated an internal exercise to review the existing security measures of CoWIN,” the ministry said.

Ostensibly referring to some of the screenshots, the health ministry said “only year of birth is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also mentioned date of birth. There is no provision to capture address of beneficiary,” said the statement.

Also read: Covid lockdowns to blame? Marriages in China slump to historic low

A senior government official, who asked not to be named, said the CoWIN “portal is safe”. “Further investigation is being conducted by the experts concerned, and we will know more on it once the report is submitted.”

This is not the first that there has been a reported breach of CoWIN data. Last year in January, there were reports of CoWIN data being leaked, prompting the health ministry to issue a clarification.

National Health Authority chief Ram Sewak Sharma, who heads the CoWIN portal, did not respond to requests for a comment.

Experts said the controversy underscores the urgent need for a data protection bill that will protect citizens from such exposure and ensure accountability of institutions. Founder of Cybersaathi and Supreme Court lawyer NS Nappinai said irrespective of the correctness of the news reports, the very issue raised of data protection for digital data in the hands of government agencies highlights the urgency for India’s personal data protection legislation. “More importantly, that health data and other documents that contain personal information such as Aadhaar or PAN Card or driving license should carry higher levels of reasonable security measures is also spotlighted with this data breach,” she said.