As reports of a possible Co-WIN breach exposing details of 100-crore-plus vaccinated citizens surfaced, Monday, the Centre maintained the portal is “completely safe” with safeguards in place for data privacy.
The Health Ministry has, nevertheless, requested CERT-In to investigate the issue and submit a report, it added.
Meanwhile, Union Minister of State for Electronics & Technology, Rajeev Chandrasekhar, took to Twitter and said, Co-WIN data had not been “directly” breached.
A Telegram bot threw up Co-WIN app details of individuals upon entry of registered mobile phone numbers. But the data are unlikely to have been generated by breaching the portal or its database, he added.
A senior Health Ministry official told businessline, “CERT-In in its initial report pointed out that back-end database for Telegram bot was not directly accessing the APIs of the Co-WIN database.” (CERT-In is the Computer Emergency Response Team). “In all likelihood the breach could be from some other source beyond Co-WIN,” the official said.
The errant program/bot currently stands disabled, a source added.
Congress’ organisational general secretary, KC Venugopal, said he was “appalled” at the “casual response” of the Centre towards this “breach of privacy”. “This clearly shows that the Co-WIN data were not encrypted,” he said.
Past breaches?
Apar Gupta, Director, Internet Freedom Foundation, requested the Centre to provide details of the past breaches, and whether these were investigated. Gupta also requested the minister to provide the basis on which the Centre is stating that the Co-WIN database has not been “directly breached”.
“It was waiting to happen. They have collected the data without the backup of a Data Privacy law. They have given no option to the users to delete the data after they have utilised the service,” Srinivas Kodali, Data Privacy activist, added.
Probe findings
A Health Ministry source said, initial probe findings show, the Telegram bot was accessing data from a “threat actor database” which was “populated” with previously breached or past stolen data.
“The development team of Co-WIN has confirmed that there are no public APIs where data can be pulled without an OTP,” the Health statement said.
The Application Program Interface, is a software with a specific function. (A threat actor is an entity responsible for a cybersecurity breach / incident; whereas a bot is a software performing automated and pre-defined tasks, replicating human behaviour.)
- Also read: The roadmap to cross-border data transfer
There are some APIs which have been shared with third parties (such as ICMR); but these are “very specific” and requests are accepted from a trusted API, white-listed by the Co-WIN application.
Co=WIN is connected with UMANG (Unified Mobile Application for New-age Governance) and Arogya Setu apps.
Data breach allegations
Allegations had surfaced earlier in the day, that a bot (robot) was sharing personal information – including Aadhaar numbers, passport details, address, date of birth, etc.
The bot reportedly used information on Co-WIN (used by Indians to register for their Covid-19 vaccination). Details of politicians and bureaucrats was made public.
‘Moral duty’
“The Co-WIN database is clearly involved in the breach one way or the other, as details associated with vaccination have been shared,” Kodali said.
The government had a moral duty to inform citizens if a breach had occurred in the past. – something that Chandrashekhar alludes to in his statement. Chandrasekhar, though, clarified later that “Co-WIN was not breached”.
Kodali further added, citizens can take the Health Ministry to court for not safeguarding their data, as was promised by CoWIN’s privacy policy.
“Co-WIN Platform has reasonable security measures and safeguards in place to protect Your privacy and Personal Information from loss, misuse, unauthorised access, disclosure, destruction, and alteration of the information in compliance with applicable laws,” the privacy brief said.
- Also read: Covid has led to major rise in child labour
The Free Software Movement of India (FSMI) also has asked the government to order an inquiry into the breach and release a white paper.
“We consider this breach to be a serious matter that puts the personal information and sensitive health data of millions of individuals at risk,” Kiran Chandra, General Secretary of FSMI, said. “It is the responsibility of the government to protect personal data, especially, health data of its citizens, and this data breach poses a risk,” he said.
Demanding a thorough probe into the breach, he wanted the government to strengthen cybersecurity measures to ensure the privacy of the citizens.
(Inputs from K V Kurmanath, Ayushi Kar)
