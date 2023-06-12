Technology

CoWIN data breach on Telegram: Confidential details of Indians compromised

Written by Akash Pandey June 12, 2023 | 03:24 pm 3 min read

CoWIN portal implements an One Time Password (OTP) system to obtain details

A startling report has surfaced today, claiming the personal information of Indian residents, including their Aadhaar, PAN, and passport details have surfaced on Telegram, as a result of an alleged data breach on the CoWIN portal. The personal information was provided by individuals on the portal in order to receive the COVID-19 vaccination. However, now such details are free to access by anybody.

Why does this story matter?

The alleged breach seems to have leaked the details of prominent politicians as well as journalists. This is a matter of national concern, and the government must direct the concerned authorities to take punitive action against the fraudsters. The personal details were being revealed by a Telegram bot, which is said to have been blocked right after the leaks started emerging.

The breach occurred due to the CoWIN portal

As per the reports, the data leak allegedly happened due to the CoWIN portal—the COVID-19 vaccination website. When a person joined the associated Telegram channel, they were able to access details from the bot. The bot allowed two options—mobile number and Aadhaar. Upon entering the registered mobile number, it disclosed the name, vaccination ID card number, gender, birth year, vaccination center's name, and doses.

Details of politicians now available on the web

The alleged data breach made the Aadhaar, voter ID, PAN, and passport numbers of politicians accessible to anyone on Telegram. Saket Gokhale—spokesperson for the Trinamool Congress, has tweeted names with screenshots of their data, including those of Rajya Sabha MP/TMC leader Derek O'Brien and Congress leader Jairam Ramesh. Details of Ram Sewak Sharma, CEO of the National Health Authority might also have been revealed.

Have a look at the post

The information generated by the bot might be authentic

A Karnataka-based news platform used the Telegram bot to test its authenticity by entering the mobile numbers of politicians across different parties. Later, when they independently verified with those politicians, details including passport/Aadhaar numbers given by them for booking vaccination slots, came out to be genuine. The bot also allegedly provided details of family members/acquaintances who registered for the vaccination using the same ID.

Not possible for anyone to access others' details: RS Sharma

Ram Sewak Sharma, CEO of the National Health Authority, who vouched for CoWIN to be "safe and secure" last year, refused the possibility of a breach. "How can there be a breach of data? Give me the proof, because when you enter a phone number, the OTP comes only to that phone number. It's not possible for anyone to access others' details," he said.

Here's what the NHA CEO claimed

The bot has been taken down already

Thanks to the Telegram bot, those with ill intent allegedly managed to access the personal details of others. It was taken down at 9:00 am. A similar leak was reported in June 2021, when a hacker group named 'Dark Leak Market' claimed that it had the data of around 15 crore Indians who registered themselves on the CoWIN portal.

MeitY is investigating the issue

Meanwhile, the Ministry of Electronics and Information Technology (MeitY) claimed that the COVID-19 data from the CoWIN platform, allegedly leaked on Telegram is "old." Nonetheless, the Centre is still verifying the issue and has sought a report regarding the same. If the leaks prove to be true, it will raise serious questions about our country's data security practices.