"Mischievous": Centre Refutes Reports Of Co-WIN Data Leak

On Monday, following reports of a massive data breach of users of the Co-WIN portal through a Telegram bot, the Ministry of Health and Family Welfare (MoHFW) reassured users of the platform, and stated that Co-WIN user data was safe.

"Co-WIN portal of Health Ministry is Completely Safe with safeguards for Data Privacy," the statement added. However, it failed to address the various allegations raised by media outlets and social media users who claim to have used the bot, and have provided evidence in the form of screenshots containing private data to back their claim.

On Sunday night, Malayalam news portal The Fourth News broke the story of data breach, highlighting how private and sensitive information of users registered on Co-WIN - MoHFW's digital platform for scheduling and certification of COVID-19 vaccines in India - were readily available through a Telegram bot, which has since been deleted.

According to the article, The Fourth News was able to retrieve sensitive details such as date of birth and PAN/Aadhaar/Passport numbers of many prominent politicians and ministers, using either their phone numbers or Aadhaar numbers as a search query.

Media outlet The News Minute also reported having used the Telegram bot before it was deleted, to retrieve the details of several politicians across party lines. It also reported having verified the details with several of the politicians, which reportedly turned out to be authentic.

Due to the Telegram bot being no longer available at the time of writing this article, BOOM was unable to independently verify the allegations of data leak by The Fourth News and The News Minute.

The Centre, however, refuted these reports, terming them as 'mischievous' and 'without any basis'. The MoHFW spokesperson added, "Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal."

While the Centre's response cited the existing security measures of the platform as the primary evidence to refute the claims of data breach, it failed to address how private details of prominent political actors were retrieved by media outlets and social media users.

Rajeev Chandrasekhar, the Union Minister of Electronics and Technology, also stated in a tweet that the data being accessed by the Telegram bot used a previously breached database, adding, "It does not appear that Cowin app or database has been directly breached."

According to independent researcher Srinivas Kodali, the Centre's response does not sufficiently address the allegations raised by the media reports and other social media users, and the evidence provided (in the form of screenshots of private data retrieved from the Telegram bot) to back these allegations.

"The information out there does not corroborate what the government is saying. Telling us that there are some security measures does not guarantee that there cannot be a breach," Kodali told BOOM.

He further explains that in potential cases of data breach, such as the alleged Co-WIN user data leak, it is the government's job to investigate and inform the public on how it happened.

"There is evidence that somehow information has leaked. So it's the job of the ministry to investigate now, and they have to tell us exactly how it happened. But they are saying there is no breach, without any investigation" he said.

Kodali also highlight's Chandrasekhar's tweet and questions what the minister was referring to, when he spoke of a previous data breach. "We don't know which data breach he is referring to, and he needs to explain that," he added.