The Delhi police’s special cell on June 22 said it had arrested a man from Bihar and apprehended another juvenile for their involvement in the alleged data leak on CoWIN, the Union government’s web platform for registering COVID-19 vaccine doses.
The breach led to COVID-19 vaccination beneficiaries — potentially hundreds of millions of people — having their Aadhaar or passport numbers exposed on a Telegram automated bot. While the bot was eventually taken down, verified personal information on vaccine beneficiaries was openly available during this period.
Regarding the arrest, a senior police officer said the accused, 21, who completed a bachelor’s degree in technology, is a resident of Bihar, and another juvenile, 17, has also been apprehended in connection with leaking data from CoWIN.
The accused, according to the police, was behind the creation of the Telegram bot. It is unclear whether the bot was acting as an interface between a flaw in the CoWIN database and the alleged hackers, or if the latter were able to siphon off and download the entire database of vaccine beneficiaries.
“The accused’s mother works as a healthcare worker in Bihar, and she is also being questioned regarding the matter; it is suspected that might have a role to play considering the sensitive information and she would have helped him to breach the platform, however, so far, we are only questioning her as per the procedure,” the officer said.
The case was sent to the government’s nodal cybersecurity agency, the Indian Computer Emergency Response Team (CERT-IN), for further review. Delhi police officers said they investigated the case along with the agency.
The messaging application Telegram was asked to provide details regarding the said bot and who created it, the officers said. A Telegram spokesperson did not immediately return a request for comment.
“We arrested [the accused] from his residence in Bihar after technical surveillance was mounted on him,” the officer said.
Prima facie, the officer said, the accused had not been found of selling the data to anybody and was involved in hacking into the network, “Any other ulterior motive has not been found yet; however, our investigation is under way,” the officer added.
Recently, the special cell registered a case under relevant Sections of the Indian Penal Code and the Information Technology Act in connection with the alleged data leak.
