- Economy
- Education And Career
- Companies & Markets
- Gadgets & Technology
- After Hours
- Healthcare
- Banking & Finance
- Entrepreneurship
- Energy & Infra
- Case Study
- Video
- More
- Sustainability
- Web Exclusive
- Opinion
- Luxury
- Legal
- Property Review
- Cloud
- Blockchain
- Workplace
- Collaboration
- Developer
- Digital India
- Infrastructure
- Work Life Balance
- Test category by sumit
- Sports
- National
- World
- Entertainment
- Lifestyle
- Science
- Health
- Tech
Govt Denies CoWin Breach, Says Data Is 'Completely Safe'
Earlier reports had indicated that data from the CoWin portal, which stored personal details of individuals who received the Covid vaccination, had been leaked on Telegram, including information about many Indian citizens
Photo Credit :
The Central government has released an official statement affirming the complete safety of the CoWin portal amidst reports of a data leak that exposed personal information of numerous Indian citizens on the messaging app Telegram. Earlier reports had indicated that data from the CoWin portal, which stored personal details of individuals who received the Covid vaccination, had been leaked on Telegram, including information about many Indian citizens.
Addressing the data breach reports, the Centre stated, "The CoWin development team has confirmed that there are no public APIs through which data can be accessed without an OTP." The official statement referred to reports that personal data, such as PAN numbers and Aadhaar numbers, of several Indian citizens, including prominent political leaders, had been made available on Telegram. The Indian health ministry dismissed these reports as "mischievous" and "baseless."
The official statement also mentioned certain posts on Twitter claiming that a Telegram Bot was accessing personal data of vaccinated individuals. It was reported that the Bot could extract individual data by simply providing the mobile number or Aadhaar number of a beneficiary. The ministry emphasised that these claims were unfounded and without any basis.
The ministry's report further detailed the security measures implemented for the CoWin portal, emphasising the protection of data privacy. It clarified that the CoWin portal of the Health Ministry is completely secure, incorporating measures such as a Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessments, Identity & Access Management, among others. Data access on the CoWin portal is solely based on OTP authentication. The government assured that all necessary steps were being taken to ensure the security of data on the CoWin portal.
The CoWin portal, managed by the Ministry of Health and Family Welfare, serves as a repository of data for individuals vaccinated against Covid-19. The Indian government informed the Indian Computer Emergency Response Team (CERT-In) about the issue and requested a report. Additionally, an internal assessment of the existing security measures of CoWin has been initiated.
According to CERT's preliminary report, the backend database for the Telegram bot did not directly access the APIs of the CoWin database. The official statement clarified that CoWin was developed and is owned and managed by the Ministry of Health and Family Welfare, with the Empowered Group on Vaccine Administration (EGVAC) overseeing its development and policy decisions. The EGVAC, chaired by the former CEO of the National Health Authority (NHA) and including members from the Ministry of Health and Family Welfare and the Ministry of Electronics and Information Technology (MeitY), steered the development of CoWin.
The Indian government's official statement also provided clarity on the data access methods employed by the government. Currently, access to individual-level vaccinated beneficiary data on the CoWin portal is available at three levels:
Beneficiary dashboard: Individuals who have been vaccinated can access their own CoWin data using their registered mobile number with OTP authentication.
CoWin authorised user: Vaccinators with authenticated login credentials can access the personal-level data of vaccinated beneficiaries. The CoWin system records and tracks every instance of authorised user access.
API-based access: Third-party applications with authorized access to CoWin APIs can access the personal-level data of vaccinated beneficiaries only through beneficiary OTP authentication.
Regarding the alleged data leak on the Telegram bot, the Indian government stated, "Without OTP, vaccinated beneficiaries' data cannot be shared with any Bot." The government added that only the year of birth is captured for adult vaccination, contrary to media claims suggesting the inclusion of the date of birth (DOB). Furthermore, the CoWin system does not capture the beneficiary's address.
Reports indicate that the Bot allegedly responsible for disclosing personal details of Indian citizens on Telegram has been disabled.