India denies massive data breach involving Covid vaccine website

India on Monday sought to allay fears that the personal data of hundreds of millions of citizens who signed up on a government portal to book their Covid-19 vaccines had been breached, after reports that a Telegram bot was distributing the information online.

The administrators of the bot claimed that it had access to data from the government’s official vaccine portal CoWin, which was mandatory for people to book their first, second and booster Covid shots after it was launched by the Narendra Modi administration in January 2021. It boasts over a billion users in India, including foreign nationals.

Multiple news outlets reported on Monday that sensitive personal information such as private contact numbers, passport numbers, dates of birth and national ID numbers known as Aadhaar were available on the Telegram channel if a user typed in a phone number registered with CoWin.

Earlier reports said the channel was also distributing private medical information exclusive to CoWin such as when and where people received their vaccinations, but this was no longer the case when the Telegram channel was reviewed by The Independent.

Rajeev Chandrasekhar, federal junior minister for electronics and technology, said the government’s computer emergency response team immediately “responded and reviewed” the so-called leak and said “it does not appear that CoWin app or database has been directly breached”.

He confirmed that the bot appeared to be sharing genuine private data, but suggested this came from an earlier breach and not one involving CoWin.

“The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past. It does not appear that the Cowin app or database has been directly breached. National Data Governance policy has been finalised that will create a common framework of Data storage, Access and Security standards across all of govt(sic),” said Mr Chandrasekhar.

“CoWin portal of health ministry is completely safe with safeguards for data privacy... Only OTP authentication-based access of data is provided,” a statement from the federal health ministry also said.

Officials provided no information on when or where the prior breach might have taken place, or how many people were affected.

Data security experts said that, if confirmed, a breach involving the kinds of numbers of users on the CoWin platform would be unprecedented in India.

“This is the first of its kind data leak targeting families in India and the magnitude of this leak is huge. It is worth noting that while other previous leaks in India only shared the last 4 digits of the 12 digit Aadhaar number, this bot gives out all 12 digits of your unique ID to anyone requesting it,” privacy and data protection activist Anivar Aravind told The Independent.

It is also concerning because CoWin as a web portal was also engaged in other large-scale projects, including one for a federal health identification number for the Indian population, said Mr Aravind, who is also a petitioner against data collection for the official Aarogya Setu app, used during the pandemic for tracking Covid contacts.

Apart from potentially hundreds of millions of regular citizens, the users whose data could be accessed on the Telegram bot included prominent politicians, bureaucrats and journalists.

The data breach included senior opposition leaders such as the Congress party’s P Chidambaram and Jairam Ramesh, Trinamool Congress’s Derek O’Brien, and the state of Telangana’s information and communication technology minister Kalvakuntla Taraka Rama Rao (KTR), according to news outlets which verified the leaked data with these individuals.

The bot first came to light on Sunday when a Kerala-based news portal named The Fourth News was able to access the details of the most senior official heading the panel overseeing CoWin.

Data relating to the Modi administration’s former health minister Harsh Vardhan and minister for culture Meenakshi Lekhi were also accessed, reported The News Minute.

The bot was taken down on Monday morning after the first reports of the data breach surfaced, and did not provide the option to search mobile phone numbers and Aadhaar numbers after 8.50am.

The CoWin website says India has given out more than 2.2 billion Covid vaccine doses, of which just 5.2 million were administered outside of the CoWin online system. There are more than 1.1 billion Covid vaccine recipients registered in India, according to the website, though this figure includes those who signed up offline.

The head of the CoWin oversight panel, RS Sharma, said in January last year that the app boasts “state-of-the-art security infrastructure” and has “never faced a security breach”.