News

CoWIN Data Breach on Telegram: Government of India Responds

CoWIN data breach on Telegram has reportedly exposed the data of millions of Indians who used to platform for COVID-19 vaccinations

DQINDIA Online

12 Jun 2023 13:05 IST

New Update

A CoWIN data breach on Telegram has shaken the internet. Reports suggest that leaked data is available on the popular social media platform Telegram, which can now be accessed by any user by entering mobile numbers. All personal information including PAN and Aadhaar card details can be accessed say reports.

Advertisment

The Telegram bot allows anyone to search data against phone numbers or Aadhaar for vaccine data. The details exposed shows all the information of users registered under the same number. If true, the magnitude of the leak would be massive as billions of Indians took the vaccination during the pandemic.

The Fourth yesterday reported about a huge #CoWinDataLeak yesterday. There was a telegram Not which allowed to search against phone numbers or aadhaar for vaccine data. Exposed details includes

Family details(who took vaccination under the same number) and below fields pic.twitter.com/FbfXYgbM1A
— 𝗔𝗻𝗶𝘃𝗮𝗿 𝗔𝗿𝗮𝘃𝗶𝗻𝗱 (@anivar) June 12, 2023

What the Indian Government has to say about CoWIN Data Breach on Telegram

Advertisment

The Government of India has denied all the reports and said that they were without any basis and mischievous in nature. “CoWIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on CoWIN portal, with web application firewall, anti-DDoS, SSL, TLS, regular vulnerability assessment, identity and access management. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” said a statement from the Indian Government.

With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this

✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers

✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023

In its preliminary report, CERT-In highlighted that the backend database for the Telegram bot did not directly connect to the APIs of the CoWIN database.

What the CoWIN Development Team has to say about CoWIN Data Breach on Telegram

The CoWIN development team has verified that there are no publicly accessible APIs that allow data retrieval without an OTP. Furthermore, certain APIs have been provided to select third parties like ICMR for data sharing purposes. Among them, there is an API that permits data sharing by using only a mobile number or Aadhaar. However, this particular API is highly specific and exclusively accepts requests from a trusted API that has been authorized and whitelisted by the CoWIN application.

Advertisment