New Delhi: Terming the data leak reports about Covid vaccinated people as “mischievous in nature”, the Union government Monday said that the ‘bot’ that had allegedly accessed the private data was not accessing the CoWIN database directly.
Instead, the government said the bot may be showing information from “previously stolen data”, as per initial report by the Indian Computer Emergency Response Team (CERT-In), the cyber security arm of the government.
In a statement, the government added that it has initiated an internal exercise to review the existing security measures of CoWIN, which served as the single point of contact for citizens to register and schedule appointments for Covid vaccination, as well as get vaccination certificates, during the pandemic.
“CERT-In in its initial report has pointed out that the backend database for Telegram bot was not directly accessing the APIs of the CoWIN database,” the Union health ministry said in the statement, adding that it has requested the CERT-In to submit a report.
APIs, or application programming interfaces, are an access point to an app that allows applications to talk/interact with each other.
Minister of State for Electronics and IT (MeitY) Rajeev Chandrasekhar tweeted that as per initial review, “it does not appear that Cowin app or database has been directly breached (sic)”.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023
He added that data being accessed by bot from a threat actor (malicious) database, which seems to have been populated with previously stolen data. It is not clear which previously stolen database the minister was referring to.
According to the reports doing rounds since Monday morning, a Telegram bot, when fed a mobile number, disclosed all information related to the person to whom the number belonged, including Aadhaar, passport, and PAN card details, as well as the centres where they were vaccinated.
“Certain posts on the social media platform Twitter have claimed using a Telegram (online messenger application) BOT, the personal data of individuals who have been vaccinated is being accessed. It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary,” the ministry statement said, adding that “all such reports are without any basis and mischievous in nature”.
Co-WIN portal is completely safe with adequate safeguards for data privacy, it said, adding that security measures are in place on the portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” it asserted.
“The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition…there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application,” the ministry informed further.
On the Telegram Bot, it asserted that without an OTP, vaccinated beneficiaries’ data cannot be shared to any Bot. “…Only Year of Birth (YOB) is captured for adult vaccination but it seems that in media posts it has been claimed that Bot also mentioned Date of Birth (DOB). There is no provision to capture the address of the beneficiary,” it added.
(Edited by Zinnia Ray Chaudhuri)
(This is an updated version of the report)
Also Read: Age clause in data protection bill — excessive control or keeping kids safe?