Union Minister Rejects Allegations of CoWin Data Breach
Union Minister Rajeev Chandrasekhar responded to numerous reports claiming a significant CoWin data breach by providing a detailed rebuttal on Twitter.
It was previously claimed that the CoWin data breach had leaked the information of many people who had given their personal information while taking the Covid vaccine. A huge number of people had registered with CoWin by providing their identity proofs like Aadhaar Card, PAN Card, Passport and many more.
CoWin is an application developed as an IT solution to implement the COVID-19 vaccination in India. According to the CoWin website, up to 95.2 million citizens have been fully vaccinated.
In his tweet, Chandrasekhar said, “Referring to some of the alleged Cowin data breaches reported on social media, @IndianCERT has immediately responded and verified this”.
After this, the minister presented a 4-point objection:
1. “Telegram bot threw up data from Cowin app while entering phone numbers”
2. “Information that the bot uses from a threat actor database that appears to be full of previously stolen information.”
3. “It does not appear that the Cowin application or database was directly breached”
4. “The National Data Governance Policy has been finalized and will provide a common framework for data storage, access and security standards for all governments.”
Speaking to ReturnByte, Professor Sandeep Shukla of IIT-Kanpur said, “I cannot say for sure if the data leak reports are true or mischievous as claimed by government sources.”
He added: “However, if it does happen, it’s not surprising. No system is 100 percent secure, and risk needs to be constantly assessed and security posture dynamically managed based on threat detections.”
Professor Shukla concluded by saying, “If we declare ourselves completely safe, nothing like that can happen. Let’s hope the stories are just misleading and not true.”
The Ministry of Health said in a statement that “CERT-In has pointed out in its original report that the back-end database of the Telegram bot did not directly use the APIs of the CoWIN database”.
The ministry called these reports “phenomena”. The statement said: “It has been clarified that all such reports are baseless and malicious. The Ministry of Health’s Co-WIN portal is completely secure and has adequate privacy protections in place.”