NEW DELHI: In response to alleged data breaches related to India’s Cowin app, Rajeev Chandrasekhar, the Minister of State for Electronics and Information Technology (MEITY), has assured the public that the app and its database have not been directly breached. The breaches were reported on social media platforms, raising concerns about the security of personal information.
Investigations conducted by the Indian Computer Emergency Response Team (CERT-In) revealed that a Telegram Bot was responsible for displaying Cowin app details when phone numbers were entered. However, the data accessed by the bot seems to have originated from a threat actor database. This database appears to have been populated with previously breached or stolen data from the past.
To address such security concerns, the Indian government has finalized the National Data Governance policy. This policy aims to establish a common framework for data storage, access, and security standards across all government entities. With this policy in place, the government aims to enhance the protection of sensitive information and prevent future data breaches.
Recent media reports alleging a breach of data from the Co-WIN portal of India’s Union Health Ministry have been dismissed as baseless and mischievous by the ministry. These reports suggested that personal data of individuals who have been vaccinated against COVID-19 could be accessed through a Telegram Bot. However, the ministry has clarified that the Co-WIN portal is completely safe, with robust safeguards in place to protect data privacy.
The Co-WIN portal, developed and managed by the Ministry of Health and Family Welfare (MoHFW), incorporates various security measures such as a Web Application Firewall, Anti-DDoS protection, SSL/TLS encryption, regular vulnerability assessments, and Identity & Access Management protocols. Access to data on the portal is strictly based on One-Time Password (OTP) authentication, ensuring the confidentiality and security of individuals’ information.
The Co-WIN data access is structured at three levels. Firstly, vaccinated individuals can access their own data through the beneficiary dashboard by using their registered mobile number and undergoing OTP authentication. Secondly, authorized vaccinators can access personal-level data of vaccinated beneficiaries through authenticated login credentials. It’s important to note that every access to the Co-WIN system is recorded for accountability.
Thirdly, third-party applications with authorized access to Co-WIN APIs can only access personal-level data of vaccinated beneficiaries through beneficiary OTP authentication. The Co-WIN system does not allow sharing of vaccinated beneficiaries’ data with any Telegram Bot without OTP authentication. Additionally, the system only captures the Year of Birth (YOB) for adult vaccination, contrary to claims on social media suggesting that the BOT has access to Date of Birth (DOB) and address information, which is not captured.
The development team of Co-WIN has confirmed that there are no public APIs where data can be accessed without OTP authentication. While some APIs have been shared with trusted third parties like the Indian Council of Medical Research (ICMR) for data sharing, these APIs have specific features and can only be accessed by trusted white-listed applications.
In response to the allegations, the Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to investigate the matter thoroughly and provide a detailed report. An internal review of the existing security measures of Co-WIN has also been initiated to ensure the continued protection of data.
In its initial report, CERT-In has highlighted that the backend database of the Telegram Bot did not directly access the Co-WIN database APIs, further affirming the security measures in place.
- Rajeev Chandrasekhar, India’s Minister of State for Electronics and Information Technology, assures the public that the Cowin app and its database have not been directly breached.
- The Indian government has finalized the National Data Governance policy to establish a common framework for data storage, access, and security standards across all government entities.
- The Co-WIN portal of the Ministry of Health incorporates multiple security measures, including a Web Application Firewall, Anti-DDoS protection, SSL/TLS encryption, regular vulnerability assessments, and Identity & Access Management protocols.
- Only OTP authentication-based access is provided on the Co-WIN portal to ensure data privacy and security.
- The Ministry of Health has requested CERT-In to investigate the alleged data breaches and submit a detailed report.
Follow The420.in on