Government claims Co-WIN data of 150 million Indians wasn't leaked
What's the story
Recently, a website on the dark web claimed that the personal data of approximately 150 million people has been leaked. It claimed that the data was leaked from the Indian government's COVID-19 vaccination appointment booking portal called Co-WIN. The Union Health Ministry has since dismissed these claims, labeling them "fake". Here's everything you need to know about the incident.
What’s collected?
Co-WIN portal collects limited information from those enrolled for vaccination
The Co-WIN portal, operated by the Indian government's Ministry of Health and Family Welfare, is used for enrolling citizens to get vaccinated against COVID-19 at private hospitals and government-run vaccination centers. In the process, it collects one's phone number for registration, postal code for identifying nearby vaccination centers, and Aadhaar card details in some cases for verifying identities at the vaccination centers.
Leak claims
Website claimed it was reselling data of 150 million people
A dark web platform called Dark Leak Market reportedly claimed that a database containing the phone numbers, "pin-point GPS location" data, and Aadhaar card details of 150 million citizens who registered on the Co-WIN portal was available for sale at $800. The website claimed that it wasn't the original leaker of the data and that it was just a reseller.
Bitcoin scam
Researcher corroborates, calls it a 'Bitcoin scam'
In fact, security researcher Rajshekhar Rajaharia also tweeted that the leak claim is "fake" and a "Bitcoin scam". He even showed screenshots of leaked data that the website had advertised for sale while in reality the data was either never leaked or not available anymore. He highlighted that the website also changed web addresses frequently and doesn't provide samples of leaked data.
Twitter Post
Security researcher Rajshekhar Rajaharia's tweet calling the leak 'fake'
[Alert] #CowinPortal Not Hacked!! Some Fake #DarkwebLeakMarket are claiming to sell data of 150 Million COVID19 Vaccinated People of India. It's completely fake. It's a Bitcoin Scam. Don't Trust. Check Screenshots. They are listing fake leaks. #Infosec @journoprasoon @ETtech pic.twitter.com/c39IGDT4dz
— Rajshekhar Rajaharia (@rajaharia) June 10, 2021
Observations
EGVAC chairman says website advertised data that Co-WIN never collected
Further, Chairman of the Empowered Group on Vaccine Administration (EGVAC), Dr. RS Sharma said, "Co-WIN stores all the vaccination data in a safe and secure digital environment. No Co-WIN data is shared with any entity outside the Co-WIN environment." Dr. Sharma observed that the website's claim of "pin-point GPS location" is false since the Co-WIN portal doesn't collect that data to begin with.
Government speaks
MeitY's emergency response team is looking into the matter
A statement issued by the Union Health Ministry said that "there have been some unfounded media reports on the Co-WIN platform being hacked. Prima facie, these reports appear to be fake." The Health Ministry and EGVAC have sought assistance from the Computer Emergency Response Team of the Ministry of Electronics and Information Technology (MeitY) to investigate the matter.