Technology
CoWIN app on phone.
A major data breach has recently come to light, raising concerns among Indian citizens who had provided their personal information on the CoWIN vaccination portal. The breach is said to have impacted not only ordinary individuals but also prominent political figures.
The leaked data, allegedly accessible to any user, has reportedly made its way onto the popular messaging platform Telegram.
According to a report, the breach has exposed sensitive details, including Aadhaar card and PAN card information, belonging to Indian citizens.
Users on Telegram can simply enter a mobile number registered with the CoWIN portal, and a Telegram bot will reveal the corresponding ID card used for vaccination, along with the individual's gender, birth year, name of the vaccination center, and the number of doses received.
The government has initiated an investigation into the matter.
However, Chandrasekhar clarified that the breach did not occur directly within the Cowin app or its database. Instead, it appears that the data accessed by the bot originated from a separate threat actor database, potentially comprising previously breached or stolen data.
To address such cybersecurity concerns in the future, Chandrasekhar announced the finalization of the National Data Governance policy. This policy aims to establish a unified framework for data storage, access, and security standards across all government entities.
Meanwhile, the development team of COWIN has responded to the data breach incident. They have clarified that there are no public APIs available that allow data to be pulled without the requirement of an OTP (One-Time Password).
Additionally, certain APIs have been shared with third parties, such as the Indian Council of Medical Research (ICMR), for the purpose of data sharing. It has been reported that one of these APIs includes a feature that enables data sharing based on the mobile number or Aadhaar card.
However, the government has assured that even this particular API is highly specific and only accepts requests from trusted and whitelisted sources authorized by the Co-WIN application.