The personal data of COVID-19 vaccine recipients in India was reportedly leak online via a bot on a popular chat platform, allowing free access to users without the OTP require for the details store on the CoWIN platform.
According to details that surfaced on Twitter, the leak data also includes the personal information on several politicians and journalists.
The bot that serve the information appears to have been block, and government officials are reportedly looking into reports of the leak information.
A report states that the personal details uploaded by users to the CoWIN portal for access to COVID-19 vaccination shots were available on Telegram via an automated bot.
Screenshots of the bot in action surface online on Twitter, and the reports said it was able in independently verify the claims made on Twitter.
The bot appears to have taken down after the initial reports of the data breach.
Users could input a mobile number and the bot would respond with personal information connect with the phone number such as their name, gender, date of birth, the vaccination centre, as well as details of the official ID provided by the vaccine recipient, such as their Aadhaar or passport number, as per the report, which states that entering the recipient’s Aadhaar number would allow the bot to display the same details.
You would be able to access these details on the government’s CoWIN portal after entering an OTP.
So, the bot reportedly allow access to this information with just the recipient’s phone number.
In January 2021, National Health Authority CEO RS Sharma tweeted :
“#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit.”
While government respond to reports of an alleged data breach of the CoWIN database, stating that the data appeared to have been source from a different database containing information stolen in the past.
The response follows reports that an automated bot on Telegram was surfacing personal details of people who had register with the CoWIN platform to receive COVID vaccinations during the pandemic.
Government has also claim that it did not appear that the CoWIN app or database had directly breach.
Hours after reports of the alleged data breach, Minister of State for Electronics and Technology Rajeev Chandrasekhar said on Twitter that the Indian Computer Emergency Response Team (CERT-In) had respond and review the reports of breaches that surface on social media.
The minister said a Telegram bot was sharing CoWIN app details when a phone number was enter.
As per Rajeev Chandrasekhar, the bot was accessing data from a threat actor database.
With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023
✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers
✅The data being accessed by bot from a threat actor database, which seems to…
The information available in this database appears to have source from data stolen in the past from an older breach.
So, the minister did not share additional details of the previous breach, including whether it was another government entity, whether it was detect before and whether it was disclose by CERT-In.
In his tweet, Rajeev Chandrasekhar also said that it did not appear that either the CoWIN app or database were directly breach.
Rajeev Chandrasekhar has not revealed details of how the CoWIN details of users who registered with the platform were available when both the CoWIN app and website were not directly affect by a data breach.
Government issue a press release stating that CoWIN data access was available at three levels, the vaccine recipient, the authorise vaccinator, and third-party applications that had API-based (application programming interface) access that only works via user one-time password (OTP) authentication.
Government said that the platform logs each attempt by an authorise vaccinator to access the CoWIN system.
The government also said that data from the CoWIN platform could not be share to an automated bot without an OTP sent to the vaccine recipient as there was no public API with such a level of access.
Same, the system did not record a recipient’s address and only record the year of birth for vaccination, unlike the posts share on social media that show the bot respond with the vaccine recipient’s date of birth.
CoWIN’s development team also confirm that some APIs were share with third parties like the Indian Council for Medical Research (ICMR) and requests were only accept by a trust API whitelist by the CoWIN application, which suggests there was at least one API that could access data without an OTP.
CERT-In has ask by the Union Health Ministry to investigate the issue and submit a report on its findings, as per the government.
