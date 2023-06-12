A major data breach outing personal details of users via government's CoWIN portal on Telegram was reported on June 12. Union Minister of IT Rajeev Chandrasekhar has acknowledged the breach revealing that the data that has surfaced is from previously breached or stolen data. In a tweet, he added that the CoWIN app or database did not get breached directly.

The minister further clarified, “National Data Governance policy has been finalized that will create a common framework of Data storage, Access and Security standards across all of govt.”

With ref to some Alleged Cowin data breaches reported on social media, @IndianCERT has immdtly responded n reviewed this



✅A Telegram Bot was throwing up Cowin app details upon entry of phone numbers



✅The data being accessed by bot from a threat actor database, which seems to… — Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) June 12, 2023

It was reported that the personal user details leaked on Telegram included identification number including Aadhaar, passport or PAN card, gender, date of birth and vaccination centre where the user received the shot. In case users used mobile number instead of Aadhaar number, the information could still be accessed.

In addition to this, the passport numbers of individuals who updated their CoWIN portal for international travel were also exposed.

Health Ministry acknowledges CoWIN data breach

As per the official statement by Government of India, “It is clarified that all such reports are without any basis and mischievous in nature. Co-WIN portal of Health Ministry is completely safe with safeguards for data privacy. All reports of data breach are without any basis and mischievous in nature. Health Ministry has requested CERT-In to look into this issue & submit a report”.

𝗖𝗢𝗪𝗜𝗡𝗗𝗮𝘁𝗮𝗕𝗿𝗲𝗮𝗰𝗵 #CoWIN portal of Health Ministry @MoHFW_INDIA is Completely Safe with safeguards for Data Privacy.



Adequate Security Measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment,… June 12, 2023

The Health Ministry has clarified that without OTP vaccinated beneficiaries’ data cannot be shared to any BOT. For adult vaccination, only Year of Birth (YOB) is captured but it seems that on media posts it has been claimed that BOT also BOT mentioned date of Birth (DOB). The ministry further informed that there is no provision to capture address of beneficiary.

The official statement further states, “Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.”

