Questions too many, answers just a few; government remarks on CoWIN data leak
In a recent press release, the Health Ministry mentioned CoWIN’s APIs (Application Programming Interface- that helps to share data) being used by the Telegram bot, as published in The Indian Express. The Ministry has shed some further light on this information, even though it hasn’t formally said whether or not the CoWIN database has recently or previously been compromised.
As per the official records, reports have claimed that CoWIN data had been accessed by a Telegram bot, the Minister of State for Electronics and IT Rajeev Chandrasekhar commented that the Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency after reviewing the alleged breach, has found out that the CoWIN portal was not ‘directly breached’. The citizen-based data like that of Aadhaar and passport numbers that an automated account on Telegram was allegedly sharing, was done using previously breached databases. The responses from the government raise more questions than they answer.
The Telegram bot was using a ‘threat actor database’ to obtain information that appeared to have already been stolen. The Centre has started an internal exercise to assess the security measures of the vaccination management site, according to an official statement from the Union Health Ministry.
Data from the CoWIN portal was only accessible to the beneficiaries through their registered mobile number by using a one-time password or OTP and by an authorized vaccinator or personnel only. Each time anyone logs into the portal using these credentials, it gets recorded that is his entry. Even login by any third-party applications can only happen through the OTP authentication of the beneficiary. From some recently shared Twitter posts it was mentioned how data breaches were repeatedly reported on social media ad how IndiaCERT immediately look into the matter for further review.
The clarification from the Health Ministry, however, did not address the question of how the Telegram bot was able to throw up citizens’ data linked to a phone number. On any past data breaches, there were no such relevant details or information shared. The government has now raised questions since it has never publicly acknowledged that Aadhaar data has been hacked. CERT-In did not respond to queries on the issue. In a preliminary investigation, CERT-In noted that the Telegram bot‘s backend database did not directly access the CoWIN database’s APIs. Sources have also claimed that over 110 entities, including the 7-8 government entities too have been accessing the APIs to access CoWIN data.
The government said that the platform’s development team had verified that there were no open APIs that could access the data without an OTP. However, on thorough research, it was revealed that there was only one API that could pull data even without an OTP and share data with third parties such as the Indian Council of Medical Research (ICMR) just by calling through their inked phone number Aadhaar. This API only allows queries from trustworthy APIs that CoWIN has white listed, according to the statement. The inactive Telegram account since Monday morning showed the personal details of an individual when the phone number used to sign up for the portal was messaged to the bot.
Claiming to source information from the CoWIN portal, the bot showed the person’s name, government identification used while getting the vaccination or from where he/she has got it. It also revealed all the people registered with the CWIN portal with the same phone number as the portal allows one person to create accounts of multiple individuals with the same number. The Ministry has promised to carefully review it and get to an immediate solution to stop such criminal offences.