Centre terms CoWIN data leak claim ‘mischievous’, says portal completely safe

On Monday, the Centre asserted that the CoWIN site of the Health Ministry is completely secure and incorporates essential data privacy measures. The Centre dismissed media reports that alleged a breach of beneficiary data of individuals who have received COVID vaccinations in the country, deeming such claims as “mischievous in nature.”

Recent media reports have surfaced alleging a breach of data pertaining to beneficiaries who have received COVID vaccinations in the country. These reports suggest that the breach occurred on social media platforms and involved data from the Co-WIN portal of the Union Health Ministry, which serves as a repository for information on vaccinated individuals.

The personal information of those who have received vaccinations is allegedly being accessible through a Telegram BOT, according to certain posts on the social media site Twitter. According to reports, the BOT has the ability to access personal information by merely providing a beneficiary’s cell number or Aadhaar number.

The statement makes it clear that all of these rumours are unfounded and malicious in character. The Health Ministry’s CoWIN site is entirely secure and has sufficient data privacy protections. A Web Application Firewall, Anti-DDoS, SSL/TLS, frequent vulnerability assessment, Identity & Access Management, and other security measures are also in place on the Co-WIN portal.

Only OTP-based authentication is offered for data access. To protect the security of the data on the CoWIN site, every precaution has been taken and is still being taken. MoHFW is the developer, owner, and manager of COWIN. To direct the creation of COWIN and make decisions about policy, the Empowered Group on Vaccine Administration (EGVAC) was established.

According to the statement, EGVAC, which also had representatives from MoHFW and MeitY, was presided over by the former CEO of the National Health Authority (NHA).

Access to CoWIN data: Currently, there are three tiers of access to individual-level vaccination beneficiary data, as listed below:

Beneficiary dashboard- Through the use of a registered Mobile number with OTP authentication, the vaccine recipient can access the Co-WIN data.

Co-WIN authorized user- A valid login credential can be used by the vaccine provider to access the personal data of recipients of vaccinations. However, the COWIN system monitors and records each time a legitimate user logs in.

API-based access – Only through beneficiary OTP authentication are third-party applications that have been granted permitted access to Co-WIN APIs able to access the personal level data of immunised beneficiaries.

Telegram BOT- Data on immunised beneficiaries cannot be shared with any BOT without OTP.
For adult vaccinations, only the year of birth (YOB) is recorded, however, it appears that media reports have stated that BOT also mentioned the day of birth (DOB). The beneficiary’s address is not captured by any clause.

The COWIN development team has stated that there aren’t any open APIs that allow for data retrieval without an OTP. In addition to the aforementioned, several APIs have been provided with other parties, including ICMR, for data exchange.

One such API reportedly includes a capability that allows data sharing with only an Aadhaar mobile number. The message went on to say that although even this API is highly particular, queries are only permitted from trustworthy APIs that have been white-listed by the Co-WIN application.

The Indian Computer Emergency Response Team (CERT-In) has been asked by the Union Health Ministry to investigate this problem and provide a report. In addition, a study of CoWIN’s current security precautions has begun internally.

In prima facie assessment, CERT-In noted that the Telegram bot’s backend database did not directly access the CoWIN database’s APIs.