Jump to content

There has been a MAJOR data breach of Modi Govt where personal details of ALL vaccinated Indians including their mobile nos., Aadhaar numbers, Passport numbers, Voter ID, Details of family members etc. have been leaked & are freely available.

JackSeal

By JackSeal
in Discussions

 Share

Recommended Posts

JackSeal Celebrity

JackSeal

Posted
Posted

Hello, 

This week, I am writing to you about yet another instance of major data breach. Personal details of Indians who took COVID vaccine have been made public by a Telegram bot. Just to check if this included big names, we entered details of politicians, including KTR, Kanimozhi and Annamalai, who confirmed to us that the leaked data on them were authentic. This included their passport numbers.
 

After the story on the leak was published, the government has come up with an explanation that the data is from a previous breach. This throws up more questions. What is this previous breach? Will we ever know?

At TNM, we have been following stories of personal data in the country closely. Speaking truth to power is expensive. Become a TNM Member today and support our journalism. 

Become a TNM Member
In April 2023, we reported on how email IDs and other personal data of over 60 crore people were stolen and being sold on JustDial. 

In the same month, we reported on yet another private firm in Bengaluru, which was selling voter data of lakhs of voters to candidates, just a month before Karnataka Assembly elections.

  
Most of you will remember our story on Chilume, the findings of which were validated by a probe by the Election Commission of India. 
 
In recent times, we wonder often about how safe our personal data is. As we strive to bring you more stories on this crucial issue that affects us all, it is important to mention that the work we do wouldn’t be possible without the support of our members. 

 
Speaking truth to power is expensive. Become a TNM Member and support our journalism. 

Become a TNM Member
Warm regards,
Dhanya Rajendran
Editor in Chief
The News Minute

Link to comment
Share on other sites
Spartan PRODUCER

Spartan

Posted
Posted

The health ministry has clarified that reports of alleged CoWIN portal breach, stating that personal information, including Aadhaar and passport details, phone number, date of birth and gender, was available on a Telegram (online messenger application) bot for a brief period of time, are “without any basis and mischievous in nature".

“The Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal," the ministry said.

COWIN was developed and is owned and managed by the Ministry of Health and Family Welfare (MoHFW) and is a repository of all data of beneficiaries who have been vaccinated against Covid-19. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues. Former CEO National Health Authority (NHA) chaired EGVAC which also included members from MoHFW and Ministry of Electronics and Information Technology (MeitY).

 

The ministry explained that Co-WIN data access is available at three levels:

 

  1. Beneficiary dashboard: The person who has been vaccinated can access the CoWIN data through the use of registered mobile number with OTP authentication.
  2. Co-WIN authorised user: The vaccinator, with the use of authentic login credential provided, can access personal level data of vaccinated beneficiaries. But the COWIN system tracks and keeps record of each time an authorised user accesses the COWIN system.
  3. API-based access: The third party applications who have been provided authorised access of CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.

 

Ministry on Telegram Bot

 

  • Without OTP, vaccinated beneficiaries’ data cannot be shared to any bot.
  • Only the Year of Birth (YOB) is captured for adult vaccination, but media posts claim that the bot also mentioned the Date of Birth (DOB).
  • There is no provision to capture the address of the beneficiary.

 

With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed thisA Telegram Bot was throwing up Cowin app details upon entry of phone numbers

The data being accessed by bot from a threat actor database, which seems to…

— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023

The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.

The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

CERT-In, in its initial report, has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database.

Meanwhile, Rajeev Chandrasekhar, Minister of State for Skill Development and Entrepreneurship, tweeted that it “does not appear that Cowin app or database has been directly breached”. “The data being accessed by bot from a threat actor database, which seems to hv been populated wth previously breached/stolen data stolen from past…National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”

WHAT HAPPENED IN 2021?

In 2021, when reports claimed that there was a possible CoWIN data breach, the government had denied the claims.

RS Sharma, CEO of the National Health Authority, had vouched for the CoWIN portal, stating it has state-of-the-art security infrastructure and has never faced a security breach.

 

“Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit,” he tweeted.

 
Link to comment
Share on other sites
JackSeal Celebrity

JackSeal

Posted
  • Author
Posted
9 minutes ago, Spartan said:

The health ministry has clarified that reports of alleged CoWIN portal breach, stating that personal information, including Aadhaar and passport details, phone number, date of birth and gender, was available on a Telegram (online messenger application) bot for a brief period of time, are “without any basis and mischievous in nature".

“The Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal," the ministry said.

COWIN was developed and is owned and managed by the Ministry of Health and Family Welfare (MoHFW) and is a repository of all data of beneficiaries who have been vaccinated against Covid-19. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues. Former CEO National Health Authority (NHA) chaired EGVAC which also included members from MoHFW and Ministry of Electronics and Information Technology (MeitY).

 

The ministry explained that Co-WIN data access is available at three levels:

 

  1. Beneficiary dashboard: The person who has been vaccinated can access the CoWIN data through the use of registered mobile number with OTP authentication.
  2. Co-WIN authorised user: The vaccinator, with the use of authentic login credential provided, can access personal level data of vaccinated beneficiaries. But the COWIN system tracks and keeps record of each time an authorised user accesses the COWIN system.
  3. API-based access: The third party applications who have been provided authorised access of CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.

 

Ministry on Telegram Bot

 

  • Without OTP, vaccinated beneficiaries’ data cannot be shared to any bot.
  • Only the Year of Birth (YOB) is captured for adult vaccination, but media posts claim that the bot also mentioned the Date of Birth (DOB).
  • There is no provision to capture the address of the beneficiary.

 

With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed thisA Telegram Bot was throwing up Cowin app details upon entry of phone numbers

The data being accessed by bot from a threat actor database, which seems to…

— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023

The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.

The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

CERT-In, in its initial report, has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database.

Meanwhile, Rajeev Chandrasekhar, Minister of State for Skill Development and Entrepreneurship, tweeted that it “does not appear that Cowin app or database has been directly breached”. “The data being accessed by bot from a threat actor database, which seems to hv been populated wth previously breached/stolen data stolen from past…National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”

WHAT HAPPENED IN 2021?

In 2021, when reports claimed that there was a possible CoWIN data breach, the government had denied the claims.

RS Sharma, CEO of the National Health Authority, had vouched for the CoWIN portal, stating it has state-of-the-art security infrastructure and has never faced a security breach.

 

“Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit,” he tweeted.

 

CoWIN data ‘leak’: Why the govt statement raises more questions than it answers
https://indianexpress.com/article/explained/explained-sci-tech/cowin-data-leak-why-the-govt-statement-raises-more-questions-than-it-answers-8659412/lite/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...