Privacy activists and watchdogs asked the Minister of IT, Rajeev Chandrashekhar, for more transparency regarding the data breach on Monday.
The internet was rife with the news of an automated messaging platform on Telegram that was allegedly sharing sensitive personal information of Indian citizens. As per the initial assessment, it appears that the information of hundreds of thousands of Indians who received the Covid vaccine was leaked on a Telegram channel. This means that the CoWIN repository- which serves the function of registration, appointment scheduling, identity verification, vaccination and certification of each vaccinated member- could have been breached.
In a four-point statement on Twitter, Chandrashekhar said that it does not appear that the CoWIN portal has been directly breached. Moreover, the data being accessed by the telegram bot is from a threat actor database, which seems to have been populated with previously breached/stolen data from the past, according to the IT minister.
Apar Gupta, Director, Internet Freedom Foundation, has requested the Centre to provide details of the past breaches, and whether these were investigated. Gupta also requested the minister to provide the basis on which the Centre is stating that the CoWIN database has not been directly breached in this instance.
Chandrashekhar reassured in his statement that the National Data Governance Policy, announced this year, will create a common framework for data security across all government bodies. However, Gupta added that the policy framework is no longer available to the public, so it is unclear how the new framework will protect against data breaches.
‘Moral duty’
Even as the Centre tries to distance itself from the possibility of a direct breach of vaccine data, independent privacy and internet researcher, Srinivas Kodali, argued that it has to answer whether it has shared the vaccine data with any other entity.
“The CoWIN database is clearly involved in the breach one way or the other, as details associated with vaccination have been shared,” Kodali said. He added that the government had a moral duty to inform citizens if a breach had occurred in the past – something that Chandrashekhar alludes to in his statement.
Kodali conjectures that citizens can take the Ministry of Health and Family Welfare to court for not safeguarding their data, as was promised by CoWIN’s privacy policy.
“Co-WIN Platform has reasonable security measures and safeguards in place to protect Your privacy and Personal Information from loss, misuse, unauthorized access, disclosure, destruction, and alteration of the information in compliance with applicable laws.” the privacy brief said.