The personal data of over a billion individuals who registered for the COVID vaccine has been compromised after unauthorised access to CoWIN data by a Telegram bot. The government has denied any data breach with Minister of State for Electronics and IT Rajeev Chandrasekhar saying that the nodal cybersecurity agency, CERT-in, has reviewed the alleged leak and found that the CoWIN portal was not directly breached.
The compromised data includes sensitive information such as names, dates of birth, gender, and passport numbers which was shared by an automated Telegram account when provided with a phone number or Aadhaar ID. The Telegram account has now been taken down.
Despite the government’s claims, it is believed that the data breach occurred using previously compromised databases. Concerns about privacy had been raised since the launch of the CoWIN platform in 2021, highlighting the risks associated with collecting personal information. The CoWIN portal, a government-funded online platform, was created to record personally identifiable information of those vaccinated against COVID-19.
READ | RBI mandates banks to settle with wilful defaulters, fraudsters
In India, privacy issues rarely get significant attention, unlike in developed countries where scandals of this magnitude would demand stricter action from respective government departments. The lack of awareness and a sense of helplessness among citizens contribute to the acceptance of such blunders, despite the vulnerability to cyber fraud that arises from data breaches. India’s low digital literacy levels further expose the poor and illiterate to higher instances of scams involving their available data.
Cyber fraud is just one consequence of these breaches. With the increase in hate crimes, such leaks create a recipe for disaster and can lead to severe law and order issues. Moreover, social engineering scams are rampant, with scamsters attempting to steal financial and personal information. When scamsters have access to personal data, their work becomes much easier. This is particularly worrying since many Indians use simple passwords, such as their date of birth, for crucial accounts like UPI, emails, and net banking. The Telegram bot provided exact dates of birth, highly sensitive information critical from a security standpoint, which is now compromised. Dates of birth are often used to reset passwords as well.
Govt response to CoWIN data breach
The government’s response to the data breach has been criticised for its inadequacy and loopholes. The Health Ministry issued a press release ruling out the use of CoWIN’s APIs by the Telegram bot and asserting the platform’s complete safety with adequate data privacy safeguards. The government stated that the backend database for the Telegram bot did not directly access the CoWIN database and that no bot could access the data without OTP confirmation.
However, there are significant gaps in this explanation, as it fails to address how the bot accessed vaccine information if it did not come from CoWin. The government stated that the bot was populated with data from other breaches but failed to specify which other database was breached. The vague phrases “not directly breached” and “not directly accessing” offer no reassurance.
Furthermore, the bot displayed people’s date of birth, while the ministry insisted that CoWIN only collects the year of birth. The government has never publicly acknowledged whether Aadhaar data has been hacked, and there are no clear explanations as to how the bot accurately matched Aadhaar numbers with mobile numbers.
The Indian government owes more to its people. Despite claiming to prioritise data security, it has often fallen short in practice. Experts agree that state-controlled user data protection is a failure, even though the government claims to be building world-class digital infrastructure. The evident gaps in India’s privacy laws reflect a lack of accountability. Although a data protection bill is in progress, it remains in the draft stage and has progressively become diluted with more provisions and relaxation for the government.
What the government must do is enhance its capacity and competence in safeguarding its own databases. It cannot afford to allow individuals with minimal technological skills to gain control over citizens’ precious data.
The health ministry has requested CERT-In to investigate this issue and provide a final report. Chandrasekhar mentioned that the National Data Governance policy has been finalised, aiming to establish a common framework for data storage, access, and security standards across all government entities.
A breach of government data base could have serious consequences for individuals, businesses, and the government itself. Some of the possible consequences are financial loss for individuals and businesses, identity theft, national security risks, disruption of government services, and loss of trust.