The Central Government of India has come under fire as reports revealed that the personal data of citizens uploaded on the CoWIN portal to receive the COVID-19 vaccine could be freely accessed by anyone using a Telegram bot.
The leak, independently verified by Malayala Manorama newspaper, has raised concerns about the data breach of millions of people registered on the portal.
Overview
As per the report, giving a person’s mobile number on a Telegram channel enabled access to a person’s name, gender, date of birth, vaccination centre, and identification documents, including Aadhaar cards, PAN cards, and passports, among others.
Covid Vaccine Intelligence Network (CoWIN) is the Indian government’s web portal that allows COVID Vaccine registration in the country. According to the report, the Telegram bot also allowed accessing the information by entering the Aadhaar number instead of the phone number.
The report suggests that since several families are registered under a single phone number on the portal, the bot allowed accessing information of all family members using the same number.
It is unclear how the Telegram channel allowed accessing the information without needing an OTP, which is a primary requirement on the CoWIN portal to access this information.
The report said that upon entering Union Health Ministry Secretary Rajesh Bhushan’s number on the portal, the last four digits of his AADHAAR showed up along with personal details of his wife Ritu Khanduri Bhushan, who is an MLA from Uttarakhand’s Kotdwar.
A tweet by TMC leader and RTI activist Saket Gokhale relating to the data breach showed screenshots of the personal details of many prominent dignitaries revealed by the leak. The bot was blocked soon after reports of the leak emerged.
The Indian Government's Ministry of Electronics and Information Technology official has said that the alleged Covid data leak from CoWIN platform that was reported earlier in the day is an ‘old data’ https://t.co/CALTjD1O7o
— Mint (@livemint) June 12, 2023
Government Response, Data Protection Bill
An official response to the alleged data leak is still underway. Meanwhile, India Today reported that government sources claimed that CoWIN does not collect any personal data of individuals like date of birth and address.
Furthermore, concerning the data breach, ANI tweeted that sources in the Ministry of Electronics and Information Technology said, “It is old data, we are still verifying it; we have sought a report regarding the same.”
The government had dismissed similar reports that emerged in June 2021, when a hacker group called ‘Dark Leak Market’ claimed it had access to the vaccination database of 150 million Indians.
The rapid digitisation in India has raised concerns about frequent data breaches, especially as the Parliament has yet to pass a Data Protection Bill. The New Digital Personal Data Protection Bill, expected to be introduced in the upcoming Monsoon Session of Parliament, is expected to help tackle the problem of such data abuses in the future.