“Without OTP, vaccinated beneficiaries’ data cannot be shared to any bot… There is no provision to capture address of beneficiary,” the health ministry clarified, adding it has requested the CERT-In to look into the issue and submit a report
The health ministry has clarified that reports of alleged CoWIN portal breach, stating that personal information, including Aadhaar and passport details, phone number, date of birth and gender, was available on a Telegram (online messenger application) bot for a brief period of time, are “without any basis and mischievous in nature”.
Read More: Heatwave alert! Schools closed in Patna, Jharkhand – Check dates here
“The Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” the ministry said.
COWIN was developed and is owned and managed by the Ministry of Health and Family Welfare (MoHFW) and is a repository of all data of beneficiaries who have been vaccinated against Covid-19. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of COWIN and for deciding on policy issues. Former CEO National Health Authority (NHA) chaired EGVAC which also included members from MoHFW and Ministry of Electronics and Information Technology (MeitY).
Read More: DGCA Eases Norms For Indian Carriers to Start Ops on New International Destination
The ministry explained that Co-WIN data access is available at three levels:
- Beneficiary dashboard: The person who has been vaccinated can access the CoWIN data through the use of registered mobile number with OTP authentication.
- Co-WIN authorised user: The vaccinator, with the use of authentic login credential provided, can access personal level data of vaccinated beneficiaries. But the COWIN system tracks and keeps record of each time an authorised user accesses the COWIN system.
- API-based access: The third party applications who have been provided authorised access of CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.
MINISTRY ON TELEGRAM BOT
- Without OTP, vaccinated beneficiaries’ data cannot be shared to any bot.
- Only the Year of Birth (YOB) is captured for adult vaccination, but media posts claim that the bot also mentioned the Date of Birth (DOB).
- There is no provision to capture the address of the beneficiary. Read More: Cyclone Biparjoy: Section 144 In Kutch; BJP Cancels All Rallies as Authorities Prepare For Landfall
The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.
The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.
CERT-In, in its initial report, has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database.
Meanwhile, Rajeev Chandrasekhar, Minister of State for Skill Development and Entrepreneurship, tweeted that it “does not appear that Cowin app or database has been directly breached”. “The data being accessed by bot from a threat actor database, which seems to hv been populated wth previously breached/stolen data stolen from past…National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”
WHAT HAPPENED IN 2021?
In 2021, when reports claimed that there was a possible CoWIN data breach, the government had denied the claims.
RS Sharma, CEO of the National Health Authority, had vouched for the CoWIN portal, stating it has state-of-the-art security infrastructure and has never faced a security breach.
“Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit,” he tweeted.
‘ABSOLUTE SECURITY A MYTH’
Supreme Court lawyer and cybersecurity expert, Dr Pavan Duggal, however, said that absolute security doesn’t exist and what was secured yesterday may not be secured today or tomorrow. “If any entity says we are 100% safe, that is not accurate. But we have to find the loopholes which could potentially be misused by cybercriminals,” he added.
