June 14 2023: The Indian Health Ministry has said reports of data breach of beneficiaries who received COVID vaccination are “without any basis and mischievous in nature.” ,reports The Hindu
It said the Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report.
The CoWIN (Covid Vaccine Intelligence Network) portal is completely safe with adequate safeguards for data privacy, the Ministry maintained.
“It does not appear that CoWIN app or database has been directly breached,” tweeted Rajeev Chandrasekhar, Union Minister of State for Electronics, and Information Technology, clarifying that data being accessed by the bot from a threat actor database seems to have been populated with previously breached/stolen data. The database, he said, was other than CoWIN.
But what is more worrying is the fact that CoWIN, which serves the functions of registration, appointment scheduling, identity verification, vaccination, and certification of each vaccinated member, has also been integrated in the Aarogya Setu and UMANG Apps.
UMANG (Unified Mobile Application for New-age Governance) is developed by the Ministry of Electronics and Information Technology (MeitY) and National e-Governance Division (NeGD) to drive mobile governance in India. UMANG provides a single platform for all Indian citizens to access pan India e-Gov services ranging from Central to local government bodies.
The current data breach is possible if the mobile number of a person is entered — details such as the identification number of the document submitted for vaccination (Aadhaar, passport, PAN card and so forth), gender, date of birth, and the centre where the vaccine was administered, are provided as reply in an instant by the messenger bot in question.These details could be accessed even if the Aadhaar number was entered instead of the phone number. The passport numbers of those who had updated the CoWIN portal for travel abroad were also leaked.
For a news clip on the leak see out TechVideo spot
on the home page for a few days
CloudSEK, a leading provider of contextual AI digital risk management solutions, has released its latest report titled "Cowin Data Leak Claim and CloudSEK Analysis."
The report provides detailed insights into the discovery made by CloudSEK's contextual AI digital risk platform, XVigil, which detected a threat actor advertising a Telegram bot offering access to PII data of Cowin Portal registrants. While the threat actors do not have access to the entire Cowin portal or the backend database, they have obtained multiple credentials belonging to health workers, raising concerns about data security. The report also includes attribution analysis of the threat actor's activities and recommendations to mitigate the risks posed by this incident.
Key Highlights Of Report:
CloudSEK's analysis concludes that the threat actors do not have access to the entire Cowin portal or its backend database.
It is believed that the threat actors have obtained multiple credentials belonging to health workers, which they can use to access the CoWIN portal and its associated data.
On March 13, 2022, a threat actor on a Russian cybercrime forum advertised compromised access to the Cowin Portal, sharing a screenshot of the Cowin database portal affecting the Tamil Nadu region.
There are numerous healthcare worker credentials available on the dark web for the Cowin portal, highlighting the need for better endpoint security measures for healthcare workers.
Abhishek Malhotra, Managing Partner of TMT Law Practice comments:
In a significant data breach, the confidential information of numerous Indian citizens, including prominent politicians and celebrities, has been exposed. The leaked data originated from the CoWIN application, a platform utilized for COVID-19 vaccination registration. The breach occurred when a Telegram bot illicitly uploaded the personal data of individuals who had registered on the CoWIN application. This data breach raises crucial questions regarding public health, data misuse, and the potential impact on the government's "Digital First" initiatives.
Public Health Implications: The leak of private information from CoWIN poses a significant threat to public health. Individuals who trusted the system to safeguard their personal details are now left vulnerable. This incident undermines public confidence in the security and privacy of sensitive healthcare data, potentially discouraging citizens from actively participating in vital vaccination programs.
Data Misuse Concerns: The breach exposes the affected individuals to various risks of data misuse. Stolen personal information can be exploited for identity theft, financial fraud, or even harassment. Furthermore, the leaked data could potentially be weaponized for targeted phishing attacks and social engineering attempts, further compromising the security and well-being of those affected.
Impact on Government Initiatives:The government's "Digital First" initiatives, aimed at driving technological advancements and enhancing public services, may face significant setbacks in light of this data breach. Citizens may question the overall efficacy and security of digital platforms when such breaches occur, hindering efforts to foster a digital ecosystem and citizen trust.
Accountability and Responsibility: In the wake of this breach, one crucial aspect that demands attention is determining who will take responsibility for this security lapse. Clear accountability measures need to be established to address the breach, mitigate its impact, and ensure that such incidents are prevented in the future. This incident underscores the urgency for robust data protection laws and stringent security measures to safeguard citizens' sensitive information.
We believe that by addressing the concerns raised by this incident and enacting comprehensive data privacy laws, the government can rebuild public trust, fortify the digital ecosystem, and protect the privacy of Indian citizens in the digital age.