CoWin data breach? Read Union minister’s point-by-point rebuttal

After multiple reports alleged that there was a massive CoWin data breach today, Union Minister Rajeev Chandrasekhar took to Twitter and posted a point-by-point rebuttal.

Earlier, it was alleged that the CoWin data breach had leaked information of many people who had provided their personal details at the time of getting themselves vaccinated against Covid. A huge number of people had registered themselves at CoWin by providing their ID proofs like Aadhaar Card, PAN Card, Passport and more.

CoWin is an application developed as an IT solution for implementation of COVID-19 vaccination in India. CoWin website shows that as many as 95.2 Crore citizens have been fully vaccinated.

In his tweet, Chandrasekhar said, “With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this”.

Thereafter, the minister provided a 4-point rebuttal:

1. “A Telegram Bot was throwing up Cowin app details upon entry of phone numbers”

2. “The data being accessed by bot from a threat actor database, which seems to hv been populated wth previously stolen data stolen in the past.”

3. “It does not appear that Cowin app or database has been directly breached”

4. “National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”

Speaking to HT Tech, Professor Sandeep Shukla, Professor, IIT-Kanpur said, “I cannot say for sure if the data leak reports are true or mischief as alleged by the government sources.”

He added, “However, if it happens, it is not surprising. No system is 100% secure, and one has to evaluate risk continually and dynamically manage security posture based on threat perception.”

Prof. Shukla concluded by saying, “If we declare ourselves to be fully secure, none of that can happen. Let’s hope the stories are just misleading and not true.”

In its statement, the health ministry said, “CERT-In in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database”.

The ministry dubbed these reports as being ‘mischievous’. The statement said, “It is clarified that all such reports are without any basis and mischievous. The Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy”.