In a brief but evidently sizeable data breach, the information of hundreds of thousands of Indians who received the Covid vaccine was allegedly leaked on a Telegram channel. According to several reports, crucial information like a person’s phone number registered on the CoWin portal of the Union Ministry of Health, gender, ID card information, and date of birth were leaked on Telegram. It could be retrieved from a Telegram bot by entering a person’s name.
According to media reports, the Telegram bot could throw up personal information of significant personalities, including Telangana’s Minister of Information and Communication Technology Kalvakuntla Taraka Rama Rao (popularly known as KTR), Dravida Munnetra Kazhagam Member of Parliament (MP) Kanimozhi Karunanidhi, Bharatiya Janata Party (BJP) Tamil Nadu President K Annamalai, Congress MP Karti Chidambaram and former Union Minister of Health Harsh Vardhan of the BJP.
The bot was disabled after media reports, but experts said the incident left behind serious concerns as the data could be used for identity theft, phishing emails, scams, and extortion calls.
The government’s nodal agency The Indian Computer Emergency Response Team (CERT-In) has initiated an inquiry into the matter after the reports.
Terming the data leak reports about the repository of beneficiaries vaccinated against Covid as “mischievous in nature”, the central government on Monday said the ‘bot’ that had allegedly accessed the private data was not accessing the CoWIN database directly.
The government said the bot may be showing information from “previously stolen data”, according to the initial report by CERT-In, the cybersecurity arm of the government.
The health ministry denied the breach saying that the data cannot be shared with any bot without authenticating using a one-time password.
More From This Section
“It is clarified that all such reports are without any basis and mischievous. The CoWIN portal of the health ministry is completely safe with adequate safeguards for data privacy… All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal,” read a statement from the health ministry.
It added that the CoWIN portal had adequate security measures with web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment, identity and access management, etc.
Minister of State for Information Technology Rajeev Chandrasekhar tweeted that it did not appear that the CoWin application or database had been directly breached and the data being shared seemed to be from an earlier breach.
But the breach yet again brings to the fore the growing menace of cyber threats, especially on government websites. A few months ago, the servers of the All India Institute of Medical Sciences were hacked by cybercriminals.
Although the number of people affected by the privacy breach on CoWin could not be confirmed, over 95 per cent of adult Indians have received their vaccines, according to latest data. The total vaccination stands at around 2.2 billion doses at the time of going to press.
In 2021, cyber intelligence firm Cyfirma warned that hackers from China and North Korea were planning to attack CoWin servers.
This left experts baffled.
Kamesh Shekar, program manager at public advocacy group The Dialogue, said a breach of this scale could cause economic and privacy implications for individuals.
“However, as we move forward, preventing such incidents requires concrete and coordinated governance and regulatory frameworks which maps responsibilities for several players within the digital public infrastructure ecosystem,” he said.
According to a CloudSEK analysis, the threat actor does not have access to the entire CoWin portal or the back-end database, but there was a data breach in the past.
“On March 13, 2022, a threat actor on a Russian cybercrime forum advertised for compromised access on the CoWIN portal. As proof of compromise, the actor shared a screenshot of the CoWIN database portal affecting the Tamil Nadu region. We currently believe that the current incident is associated with a threat actor who has access to health workers,” observed the analysis.
Several independent cybersecurity experts have confirmed the possibility of a partial database breach from the CoWIN platform.
But the incident has made security experts sit up and take note.
“There are possibilities of multiple types of issues here, like IDOR vulnerabilities and unsecured databases, among others. Both CoWIN and Aadhaar data of India are extremely sensitive and at massive risk of cyberattacks, which can wreak havoc when in the hand of nation-state adversaries of India among the normal scammers,” said Himanshu Pathak, managing director, CyberX9.
Experts also warn that there could be multiple copies of the leaked data and that there was no remedy to reverse the damage.
“The bot was a plain search facility on a database and multiple records were fetched against one thing. For instance, if you search with a person’s name or their Aadhaar number, it gives out details of six people vaccinated against it. Now they have just cut this access, but data is still out there,” said Anivar Aravind, executive director of the civic-tech non-profit initiative Indic Project.