On Monday, the Union Health Ministry stated that the platform is “completely safe” and that claims alleging a CoWIN data breach are unfounded and malicious in character.
A brief about according to the Centre, “CoWIN portal is completely safe, and data breach reports are naughty”
The health ministry denied accusations of data leaks from the platform and stated that CoWIN had proper measures for data privacy.
According to sources, there have been data breaches from the Union Health Ministry’s CoWIN portal, which houses all beneficiary information for those who have received Covid vaccinations.
The Indian Computer Emergency Response Team (CERT-In), according to the ministry, has been asked to investigate the problem and produce a report.
The CERT-In responded right away, according to Rajeev Chandrasekhar, MoS IT, and it doesn’t seem that the Cowin app or database has been directly compromised.
He claimed that when phone numbers were entered, a Telegram bot displayed information on the Cowin app. The information being accessed by the bot is from a threat actor database that appears to have already had data stolen or hacked. The Cowin app or database does not appear to have been directly compromised, the minister added.
The CoWIN portal also has a web application firewall, ongoing vulnerability scanning, and Identity and Access Management, according to the statement.
Only OTP authentication-based data access is offered. The ministry stated that every precaution has been taken and is being taken to guarantee the security of the data in the CoWIN portal.
According to the health ministry, CERT-In’s initial investigation noted that the Telegram bot’s backend database did not directly access the CoWIN database’s APIs.
According to the article, several Twitter users have reported that a Telegram (an online messenger service) Bot is being used to obtain the personal information of people who have received vaccinations.
According to reports, the bot has been able to access specific data by only receiving a beneficiary’s telephone number or Aadhaar number, the ministry said.
The Ministry of Health and Family Welfare designed, owns, and manages the CoWIN. For the purpose of directing COWIN’s development and making decisions regarding policy matters, the Empowered Group on Vaccine Administration (EGVAC) was established.
According to the statement, there are currently three tiers of access to individual-level vaccination beneficiary data.
The beneficiary dashboard is the first; after receiving a vaccination, a person can view Co-WIN data by using a registered mobile number with OTP authentication.
The second is CoWIN authorised user, where the vaccine provider has access to personal level data on beneficiaries who have received vaccinations by using the specified valid login credentials.
And then there is API-based access; third party applications that have been granted permitted access to Co-WIN APIs may only access the personal level data of beneficiaries who have received vaccinations after being authenticated by the beneficiaries’ OTPs.
According to the statement, the COWIN system monitors and logs every time an authorised user visits it.
The ministry stated that “without OTP, vaccine beneficiaries’ data cannot be shared to any BOT.”
Additionally, it said that for adult vaccinations, only the year of birth is recorded; nevertheless, it appears that in media posts, it has been alleged that the Bot also recorded the day of birth.
Additionally, it stated that there is no provision for capturing the beneficiary’s address.
The COWIN development team has said that no public APIs exist where data may be retrieved without an OTP. In addition to the aforementioned, some APIs have been provided with outside parties, including ICMR, for data sharing. One such API reportedly includes a capability that allows data sharing with only an Aadhaar mobile number. However, the Co-WIN application has only allowed requests from trusted APIs that have been white-listed, and even this API is quite narrow, according to the statement.
