CoWIN vaccination data out, Centre denies breach

Union IT Ministry says breached data were previously stolen but not from the CoWIN portal; Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report

June 12, 2023 02:34 pm | Updated June 13, 2023 09:15 am IST - New Delhi

Details from the CoWIN portal, including Aadhaar, passport, gender, date of birth, were leaked online following a data breach. Image for representational purpose only. File

Details from the CoWIN portal, including Aadhaar, passport, gender, date of birth, were leaked online following a data breach. Image for representational purpose only. File | Photo Credit: The Hindu

The Health Ministry on Monday said reports of data breach of beneficiaries who received COVID vaccination are “without any basis and mischievous in nature.” It said the Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report. The CoWIN (Covid Vaccine Intelligence Network) portal is completely safe with adequate safeguards for data privacy, the Ministry maintained.

“It does not appear that CoWIN app or database has been directly breached,” tweeted Rajeev Chandrasekhar, Union Minister of State for Electronics, and Information Technology, clarifying that data being accessed by the bot from a threat actor database seems to have been populated with previously breached/stolen data. The database, he said, was other than CoWIN.

Also read |CoWin to gird universal immunisation

The Minister added that with reference to some alleged CoWIN data breaches reported on social media, @IndianCERT had immediately responded and reviewed this.

Further, he tweeted that a Telegram Bot was throwing up CoWIN app details upon entry of phone numbers.

“The national data governance policy has been finalised that will create a common framework of data storage, access and security across all of government,” Mr. Chandrasekhar tweeted.

But what is more worrying is the fact that CoWIN, which serves the functions of registration, appointment scheduling, identity verification, vaccination, and certification of each vaccinated member, has also been integrated in the Aarogya Setu and UMANG Apps.

UMANG (Unified Mobile Application for New-age Governance) is developed by the Ministry of Electronics and Information Technology (MeitY) and National e-Governance Division (NeGD) to drive mobile governance in India. UMANG provides a single platform for all Indian citizens to access pan India e-Gov services ranging from Central to local government bodies.

Meanwhile, as per reports, the current data breach is possible if the mobile number of a person is entered — details such as the identification number of the document submitted for vaccination (Aadhaar, passport, PAN card and so forth), gender, date of birth, and the centre where the vaccine was administered, are provided as reply in an instant by the messenger bot in question.

These details could be accessed even if the Aadhaar number was entered instead of the phone number. The passport numbers of those who had updated the CoWIN portal for travel abroad were also leaked.

Internal exercise

The Union Health Ministry, however, said it requested the CERT-In to investigate this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

“CERT-In, in its initial report, has pointed out that back-end database for the Telegram bot was not directly accessing the APIs of CoWIN database,” the Ministry said in the statement.

CoWIN data access: At present individual-level vaccinated beneficiary data access is available at three levels.
Beneficiary dashboard: The person who has been vaccinated can have access to the CoWIN data through the use of a registered mobile number with OTP authentication.
Co-WIN authorised user: The vaccinator with the use of an authentic login credential provided can access the personal level data of vaccinated beneficiaries. But the COWIN system tracks and keeps a record of each time an authorised user accesses the CoWIN system.
API-based access: The third-party applications that have been provided authorised access to CoWIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.
What did the bot capture?
Without OTP, vaccinated beneficiaries’ data cannot be shared with any BOT. Only the Year of Birth (YOB) is captured for adult vaccination, but it seems that on media posts it has been claimed that BOT also BOT mentioned the Date of Birth (DOB).
There is no provision to capture the address of beneficiary.  The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP. 

The details, now available in public domain through the leak, include those of Ram Sewak Sarma, chairman of CoWIN high power panel (the leak gives information on the ID papers submitted for vaccination), senior BJP leader Meenakshi Lekhi and Congress general secretary K.C. Venugopal (location at which they got vaccinated), the mode of registration for Kerala Health Minister Veena George.

Also Read | CoWIN adheres to WHO specifications, says COVID-19 vaccine panel chief

The bot (a programme that behaves like a normal chat partner with additional functions) on Telegram — is also giving details of individuals and several Opposition leaders’ data including — Rajya Sabha member and Trinamool Congress leader Derek O’Brien, former Union Minister P. Chidambaram, Congress leaders Jairam Ramesh, Rajya Sabha Deputy Chairman Harivansh Narayan Singh, Rajya Sabha members Sushmita Dev, Abhishek Manu Singhvi, and Sanjay Raut among others.

While the bot has now been taken down, there is anxiety about the safety of personal data.

The CoWIN site provides vaccination certificates to the beneficiaries, which acted as ‘Vaccine Passports’ during the COVID-19 pandemic for the beneficiaries and can be stored in DigiLocker. Users can access the platform via desktop, tablet, and mobile phones.

Multiple questions

While there have been multiple questions about the leaks, health authorities have maintained that CoWIN has state-of-the-art secure infrastructure and has never faced a security breach and even maintained that the data of the citizens are safe.

This is not the first time that such a leak has been reported. In June 2021, a hacker group named ‘Dark Leak Market’ claimed that it had a database of about 15 crore Indians who registered themselves on the CoWIN portal. Health authorities had rubbished the claims then.

The Health Ministry, in its latest statement, added that security measures are in place on CoWIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal.

CoWIN was developed and is owned and managed by the Health Ministry. An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of CoWIN and for deciding on policy issues. Former CEO, National Health Authority (NHA), chaired the EGVAC which also included members from the Health Ministry and MeitY, the statement added.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.