The Union government of India has dismissed reports of a data leak involving Covid vaccinated individuals, referring to them as “mischievous.” The government stated that the alleged bot accessing private data was not directly accessing the CoWIN database but may be displaying information from previously stolen data.
An internal review of the security measures of CoWIN, the platform for vaccination registration and certification, has been initiated. The government clarified that the backend database for the Telegram bot was not directly accessing the CoWIN database APIs, as highlighted in the initial report by CERT-In.
Minister of State for Electronics and IT, Rajeev Chandrasekhar, noted that the Cowin app or database did not appear to have been directly breached. Instead, the data accessed by the bot seems to have originated from a malicious database populated with previously stolen data, although the specific source is unclear.
Certain posts on Twitter claimed that personal data of vaccinated individuals was accessible through a Telegram bot by using mobile or Aadhaar numbers, but the government deemed these reports baseless and mischievous.
The government emphasized that the Co-WIN portal is secure, with measures in place to safeguard data privacy, including a web application firewall, anti-DDoS protection, SSL/TLS encryption, regular vulnerability assessments, and identity and access management.
Data access is limited to OTP authentication, and there are no public APIs that allow data retrieval without an OTP. While some APIs are shared with trusted third parties, the ministry clarified that even these APIs require specific requests from white-listed sources. The government also stated that the Telegram bot cannot access vaccinated beneficiaries’ data without an OTP, and it only captures the year of birth, not the date of birth or address.
