Co-WIN Portal Completely Safe with Safeguards for Data Privacy: Centre Rubbishes Alleged Data Breach Reports

GG News Bureau

New Delhi, 12th June. The Centre dismissed reports of an alleged data breach on the Health Ministry’s CoWIN platform on Monday, claiming that it is entirely secure and has adequate measures for data privacy.

Earlier in the day, it was revealed that an automated account on the messaging platform Telegram was allegedly exposing sensitive personal information of Indian individuals who signed up for the CoWIN portal for their Covid-19 vaccinations, including their Aadhaar and passport data.

The Centre issued the following clarification, “Certain posts on the social media platform Twitter have claimed using a Telegram (online messenger application) BOT, the personal data of individuals who have been vaccinated is being accessed. It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.”

“It is clarified that all such reports are without any basis and mischievous in nature.  Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” the statement added.

The statement explained the security measures as, “The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application.”

The Union Health Ministry, however, has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

CERT-In in its initial report has pointed out that the backend database for Telegram bot was not directly accessing the APIs of the CoWIN database.