Explained: The Alleged CoWIN Data Breach - What You Need to Know

After the reports that CoWIN data had been accessed by a Telegram bot, the Minister of State for Electronics and IT Rajeev Chandrasekhar said the Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency, had reviewed the alleged breach and found that the CoWIN portal was not “directly breached.” He said the data – including citizens’ Aadhaar and passport numbers – that an automated account on Telegram was allegedly sharing was done using previously breached databases. Union IT Ministry says breached data were previously stolen but not from the CoWIN portal; Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report. 

What happened in the CoWIN data breach?

The CoWIN data breach involved the accidental exposure of the personal information of individuals registered on the CoWIN portal through a Telegram bot. The bot allowed access to details such as identification numbers (Aadhaar, passport, PAN card), gender, date of birth, and vaccination center information. The leaked data also included passport numbers of individuals who updated their CoWIN profiles for international travel. Initially, the bot provided complete Aadhaar numbers, which were later restricted to showing only the last four digits.

Who was affected by the breach?

The breach impacted individuals who registered on the CoWIN portal to receive COVID-19 vaccinations. The leaked data reportedly included prominent politicians and journalists, such as Derek O'Brien, P Chidambaram, Jairam Ramesh, KC Venugopal, Rajdeep Sardesai, and Barkha Dutt. The breach raised concerns about the privacy and security of personal information and the potential misuse of sensitive data.

What did the government say in response to the breach?

The government initially denied direct access to the CoWIN database by the Telegram bot. They stated that the bot may have obtained data from previously stolen sources. The government emphasized that the CoWIN portal is secure and implemented various measures such as OTP authentication, web application firewalls, anti-DDoS protection, SSL/TLS encryption, and regular vulnerability assessments. They assured the public that the breach was being taken seriously, and investigations were initiated by the Indian Computer Emergency Response Team (CERT-In).

What actions did the government take?

Union minister Rajeev Chandrashekhar on Tuesday reiterated that the personal details of Indian citizens provided by an automated account on the messaging application Telegram were prima facie not leaked from CoWIN app even as the data included the location of their last Covid vaccination. CoWIN is the repository of all data of beneficiaries who have been vaccinated against Covid-19.

In response to the breach, the government took several actions to address the situation. They initiated an investigation by CERT-In to determine the extent of the breach, identify vulnerabilities, and recommend necessary actions to prevent future incidents. The government also pledged to review and strengthen the security measures of the CoWIN portal. Communication efforts were made to inform affected individuals about the breach and provide guidelines on safeguarding personal information. Collaborating with law enforcement agencies, the government sought to identify and apprehend those responsible for creating and disseminating the Telegram bot.

What are the implications for data privacy and security?

The CoWIN data breach highlights the importance of robust data privacy and security measures, especially when handling sensitive personal information. It raises concerns about the potential misuse of Aadhaar, passports, PAN card, and other identification details. The incident underscores the need for stringent safeguards and regular security audits in digital platforms handling personal data. It also emphasizes the significance of public awareness regarding data privacy, identity theft, and fraud prevention measures.

What steps are being taken to prevent future breaches?

To prevent future breaches and enhance data security, the government is actively reviewing and strengthening the security measures of the CoWIN portal. They are collaborating with cybersecurity experts and implementing recommendations provided by CERT-In. Additionally, there is a focus on raising awareness among individuals about the importance of securing personal information, using strong passwords, and being cautious of potential phishing attempts. Continuous monitoring and regular security audits will be crucial in identifying and mitigating any vulnerabilities.