The digital age brings with it the boon of convenience, but not without its share of vulnerabilities. A recent incident that brought this reality into sharp focus was the alleged data leak from the CoWIN platform, a centralized Indian government platform used for COVID-19 vaccination registration.
Update as of 23 June 2023: Two persons have been arrested for leaking the data through Telegram. One minor and one from the State of Bihar. Authorities are still investigating.
A hacker or leaked database could potentially contain a citizen’s name, their father’s or mother’s name, city and state, Aadhaar number, date of birth, and mobile number. In this era of increasing financial security issues, that’s a significant amount of highly sensitive information.
The CoWIN data leak allegations first surfaced when the Malayala Manorama newspaper independently verified the incident. Saket Gokhale, the national spokesperson for the All India Trinamool Congress, also highlighted the issue by sharing screenshots of personal details, including Aadhaar, passport, PAN card numbers, gender, date of birth, and vaccination center details, that were allegedly exposed on a Telegram channel.
Notably, the leaked data appeared to be tied to registered phone numbers. The details of individuals who had registered under the same phone number were accessible through the Telegram bot, meaning that data of multiple family members registered using a single phone number were exposed. This was in contrast to the additional layer of security implemented by the CoWIN portal, which required OTP validation for access to detailed information.
The breach was not merely restricted to common citizens, either. Information of notable politicians and journalists were also reportedly exposed, raising serious questions about data security and privacy.
A twist came when the alleged hacker behind the data leak came forward, explaining that the breach was not due to a vulnerability in the CoWIN platform itself, but rather an associated platform. They revealed that by exploiting the vulnerability in this other platform, which focused on child health, they could retrieve the details of Auxiliary Nurse Midwives (ANMs) and use that to fetch the same data via Telegram. This information was accessible to anyone who joined a specific Telegram group and entered the target’s mobile number or Aadhaar number.
The Indian government, while actively working on a comprehensive report, has reassured citizens that the CoWIN platform does not collect sensitive personal data like date of birth or the address of the individual, focusing solely on vaccination-related data.
While further details about the breach and the government’s response are still pending, the incident serves as a powerful reminder of the increasing importance of robust data security measures in today’s interconnected world.
(Note: The article might not have all the up-to-date details as this is an ongoing investigation. More recent information should be looked up from more current sources. We will update this as it happens.)
