A major data breach outing personal details of users via the government’s CoWIN portal on Telegram was reported on June 12. Rajeev Chandrasekhar, Union Minister of Information Technology, acknowledged the breach, revealing that the data that has surfaced comes from previously leaked or stolen data. He stated in a tweet that the CoWIN app “does not appear to be directly breached”.
Health Ministry Acknowledges CoWIN Data Breach
The Minister of State for IT, in a tweet, explained that “previously stolen data” was seemingly accessed by a Telegram (online messenger application) bot. “A Telegram Bot was throwing up Cowin app details upon entry of phone numbers. The data was being accessed by bot from a threat actor database, which seems to have been populated with previously stolen data,” he said.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023
Mr. Chandrasekhar also stated that the National Data Governance policy, which will set a common set of data storage, access, and safety standards throughout the country, has been finalized.
“With reference to some alleged CoWin data breaches reported on social media, @IndianCERT has immediately responded and reviewed this,” he tweeted.
Given that almost every adult Indian citizen who took the COVID vaccine was forced to do so through CO-WIN, the scope of this data leak is far greater than any other data breach to date. For immunisation, sharing phone numbers and an identity card was necessary to share phone numbers and an identity card. This ID card frequently contained an Aadhaar number, which should ideally not be stored under the Aadhaar Act. However, we can see that all of this data was stored on unencrypted databases and was clearly breached. The screenshots of the data breach show that the scope of the breach is so broad that addressing it can be challenging.
As previously stated in these columns, once a breach occurs, the primary necessity is to conduct a forensic examination and address the security issue at hand. This is the task of India’s Computer Emergency Response Team, which has failed so many times that failure has become the standard rather than the exception. Cybersecurity audits, forensic analyses, and basic safety procedures have been missing from Digital India’s master plans. The Indian government wants to improve data collection but has no desire to protect this data. Worse, it considers the most recent occurrence as an accident.
Many questioned the government’s insistence on citizens that submitting Aadhar Cards and other health IDs at the time of the COVID vaccine. Many have questioned if the government can guarantee their privacy after giving their data to the CoWin portal. In fact, the CoWin website did not have a privacy policy, and the general public and the Internet Freedom Foundation to begin with, and it was the general public and the Internet Freedom Foundation that forced the National Health Authority to implement one two years ago.
The Ministry of Health and Family Welfare developed, owns, and manages the CoWin. An Empowered Group on Vaccine Administration (EGVAC) was formed to guide the development of COWin and make policy decisions.
It is obvious that the government cannot protect our data, and expecting it to do so is probably a futile demand. Although the executive is supposed to protect our fundamental rights, it is clear that its priority is in commodifying our data rather than protecting us. In this case, our only choice as citizens is to refuse to give our data and demand data removals. Even still, with calls to share our Aadhaar, phone numbers, and all of our personal data to help build a data economy, this is not an option.