Central Idea

• Data breach reports: The Health Ministry, on Monday, refuted claims of a data breach of COVID vaccination beneficiaries, stating that such reports were baseless and mischievous in nature.
• Investigation by CERT-In: The Indian Computer Emergency Response Team (CERT-In) has been asked to investigate the alleged data breach issue and submit a report to ascertain the facts.
• Assurance of data safety: The Ministry maintains that the CoWIN (Covid Vaccine Intelligence Network) portal is completely safe, equipped with adequate safeguards to protect data privacy.

About CoWIN

• Development: CoWIN was developed and is owned and managed by the Ministry of Health.
• Policy decisions: The Empowered Group on Vaccine Administration (EGVAC), chaired by the former CEO of the National Health Authority, oversees this. It includes members from the Health Ministry and MeitY (Ministry of Electronics and Information Technology).

Evaluation of Alleged Breach

• CERT-In review results: The review conducted by CERT-In concludes that there was no direct breach of the CoWIN app or database.
• Data source of Telegram bot: The data accessed by the Telegram bot was sourced from a separate threat actor database, which contained previously breached or stolen data.
• No direct breach of CoWIN: The Ministry states that it does not appear that the CoWIN app or database itself was directly breached.

Clarification on CoWIN Data Access

• Three methods of data access: The Ministry outlines the three ways in which data can be accessed on the CoWIN portal: user access, vaccinator access, and authorized third-party applications.
• Data sharing with Telegram bot: The Ministry clarifies that data cannot be shared with the Telegram bot without undergoing the one-time password (OTP) authentication process.
• Limited data collection: CoWIN only collects the year of birth and does not capture a person’s address.

Unanswered Questions and API Access

• Uncertainty regarding recent breaches: The Ministry has not explicitly clarified whether the CoWIN database was breached recently or in the past.
• Lack of insights on bot accuracy: The Ministry’s statement does not offer insight into the accuracy of the Telegram bot’s retrieval of citizens’ data from the CoWIN database.
• API access without OTP: The Ministry admits the existence of an API that allows data sharing without OTP, but emphasizes that requests are accepted only from trusted whitelisted APIs.

Concerns and Aadhaar Data

• Accuracy of Aadhaar details: The accuracy of displaying Aadhaar numbers corresponding to mobile numbers raises concerns, as the government has never publicly acknowledged any breaches of Aadhaar data.
• Need for clarity: The Ministry’s statement does not provide clarity on how the Telegram bot accurately displayed Aadhaar numbers.
• Addressing security concerns: The Ministry should address concerns regarding the security of Aadhaar data and provide transparency on its safety measures.

Future Steps and Data Governance Policy

• Empowering CERT-In: The Health Ministry has requested a final report from CERT-In to investigate the alleged data breach incident thoroughly.
• National Data Governance policy: The Ministry highlights the finalization of the National Data Governance policy, which aims to establish a common framework for data storage, access, and security standards across the government.
• Awaited response from CERT-In: The Ministry is awaiting a response from CERT-In regarding the issue, which will provide further insights into the nature of the breach.

Assurance and Previous Leaks

• Assurances of secure infrastructure: Health authorities maintain that CoWIN has state-of-the-art secure infrastructure and has never experienced a security breach.
• Dismissal of previous claims: Previous claims of data leaks, such as the ‘Dark Leak Market’ incident, were dismissed by health authorities, emphasizing the safety of citizen data.
• Security measures in place: CoWIN has implemented security measures such as web application firewall, regular vulnerability assessments, and OTP authentication to ensure the protection of data.

Implications of this data leak

• Identity theft risks: The leaked data exposes individuals to the risk of identity theft, as sensitive information can be misused for fraudulent activities.
• Targeted scams and phishing attacks: With access to personal details, scammers may attempt targeted scams and phishing attacks, leading to financial loss and potential harm to individuals.
• Loss of trust in government systems: The data breach undermines public trust in the government’s ability to safeguard sensitive information, affecting confidence in the vaccination program and other government initiatives.
• Reputational damage: The incident could tarnish the reputation of the CoWIN platform and associated government agencies, affecting their credibility in managing sensitive data.
• Impact on future vaccination drive: Concerns about data security may deter individuals from participating in the vaccination program, slowing down efforts to control the spread of COVID-19.
• Calls for accountability: The data leak prompts demands for accountability from the responsible government agencies and the implementation of stricter measures to protect citizen data.

Conclusion

• The data leak incident related to the CoWIN portal raises serious concerns about the privacy and security of individuals’ personal information.
• While the Ministry of Health maintains that the CoWIN app and database were not directly breached, the access to sensitive data through a Telegram bot raises questions about the integrity of the system.

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Get an IAS/IPS ranker as your 1: 1 personal mentor for UPSC 2024

Attend Now