CoWIN data breach on Telegram: Confidential details of Indians compromised
What's the story
A startling report has surfaced today, claiming the personal information of Indian residents, including their Aadhaar, PAN, and passport details have surfaced on Telegram, as a result of an alleged data breach on the CoWIN portal.
The personal information was provided by individuals on the portal in order to receive the COVID-19 vaccination. However, now such details are free to access by anybody.
Context
Why does this story matter?
The alleged breach seems to have leaked the details of prominent politicians as well as journalists.
This is a matter of national concern, and the government must direct the concerned authorities to take punitive action against the fraudsters.
The personal details were being revealed by a Telegram bot, which is said to have been blocked right after the leaks started emerging.
Details
The breach occurred due to the CoWIN portal
As per the reports, the data leak allegedly happened due to the CoWIN portal—the COVID-19 vaccination website.
When a person joined the associated Telegram channel, they were able to access details from the bot.
The bot allowed two options—mobile number and Aadhaar. Upon entering the registered mobile number, it disclosed the name, vaccination ID card number, gender, birth year, vaccination center's name, and doses.
More
Details of politicians now available on the web
The alleged data breach made the Aadhaar, voter ID, PAN, and passport numbers of politicians accessible to anyone on Telegram.
Saket Gokhale—spokesperson for the Trinamool Congress, has tweeted names with screenshots of their data, including those of Rajya Sabha MP/TMC leader Derek O'Brien and Congress leader Jairam Ramesh.
Details of Ram Sewak Sharma, CEO of the National Health Authority might also have been revealed.
Twitter Post
Have a look at the post
SHOCKING:
— Saket Gokhale (@SaketGokhale) June 12, 2023
There has been a MAJOR data breach of Modi Govt where personal details of ALL vaccinated Indians including their mobile nos., Aadhaar numbers, Passport numbers, Voter ID, Details of family members etc. have been leaked & are freely available.
Some examples 👇
(1/7)
Authenticity
The information generated by the bot might be authentic
A Karnataka-based news platform used the Telegram bot to test its authenticity by entering the mobile numbers of politicians across different parties.
Later, when they independently verified with those politicians, details including passport/Aadhaar numbers given by them for booking vaccination slots, came out to be genuine.
The bot also allegedly provided details of family members/acquaintances who registered for the vaccination using the same ID.
Scenario
Not possible for anyone to access others' details: RS Sharma
Ram Sewak Sharma, CEO of the National Health Authority, who vouched for CoWIN to be "safe and secure" last year, refused the possibility of a breach.
"How can there be a breach of data? Give me the proof, because when you enter a phone number, the OTP comes only to that phone number. It's not possible for anyone to access others' details," he said.
Twitter Post
Here's what the NHA CEO claimed
#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit.
— Dr. RS Sharma (@rssharma3) January 21, 2022
What has happened?
The bot has been taken down already
Thanks to the Telegram bot, those with ill intent allegedly managed to access the personal details of others. It was taken down at 9:00 am.
A similar leak was reported in June 2021, when a hacker group named 'Dark Leak Market' claimed that it had the data of around 15 crore Indians who registered themselves on the CoWIN portal.
Response is awaited
MeitY is investigating the issue
Meanwhile, the Ministry of Electronics and Information Technology (MeitY) claimed that the COVID-19 data from the CoWIN platform, allegedly leaked on Telegram is "old."
Nonetheless, the Centre is still verifying the issue and has sought a report regarding the same.
If the leaks prove to be true, it will raise serious questions about our country's data security practices.