CoWIN Data Leak

The information of hundreds of thousands of Indians who received the COVID vaccination was exposed in a significant data breach and posted on a Telegram channel.

The Fourth News, a Malayalam news portal, said that a Telegram bot on the channel “hak4learn” was providing access to the private information of millions of Indians.

As mentioned by the channel operator, you may access documents of the mobile number registered on the CoWin site.

It is also feasible to determine which vaccination was given and where it was given.

The CoWIN vaccination monitoring app from India, which has more than 1 billion registered users, is noteworthy.

“The scale of the data breach is what makes it hard to guess the repercussions,” says Srikanth Lakshmanan, a researcher who runs the digital payments collective Cashless Consumer. 

“Conservative estimates mean at least personal data of several hundred million users was exposed.”

List Of Individuals Whose Data Was Exposed

Several reports claim that sensitive information, including a person’s phone number, gender, ID card details, and date of birth, was exposed on Telegram. By providing a person’s name, a Telegram bot might obtain it.

Local news media have used the bot to gain access to the private data of politicians. The bot stopped functioning on the morning of June 12.

Since the bot was probably merely a shop window for whoever hacked the database, the fact that it has been shut down doesn’t indicate the breach is done, according to Lakshmanan.

“Usually, hackers reveal a slice of data publicly via a bot or web page to prove to the world they have said data and then sell it on the dark web,” Lakshmanan says. 

“While the bot is down now, we don’t know where all the data is being traded.”

The Cowin Portal Of The Health Ministry Is Completely Safe

According to the health ministry, allegations that the CoWIN site has been compromised are “without any basis” and the organization in charge of handling cybersecurity issues, the Computer Emergency Response Team, has been requested to look into the accusations.

The government said that the Co-WIN portal of the health ministry is completely safe, with adequate safeguards for data privacy

“The development team of COWIN has confirmed that there are no public APIs (application programming interface) where data can be pulled without an OTP (one-time password). In addition to the above, there are some APIs which have been shared with third parties such as ICMR (Indian Council of Medical Research) for sharing data,” the ministry said in its statement.

“It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application,” it added.

According to the health ministry, an internal exercise has also been started to assess the CoWIN security procedures that are now in place.

Minister Rajeev Chandrasekhar said, “National Data Governance policy has been finalized that will create a common framework of data storage, access and security standards across all of government.”

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Guru is an Ex-Security Engineer at Comodo Cybersecurity. Co-Founder - Cyber Security News & GBHackers On Security.


Please enter your comment!
Please enter your name here