The story so far: On June 12, reports emerged that a bot on the messaging platform Telegram was allegedly returning personal data of Indian citizens who registered with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes. The bot spewed out personal details like name, Aadhaar and passport numbers upon entry of phone numbers. On the same day, the Health Ministry denied reports of a data breach, and said the allegations were “mischievous in nature.” It added that the Indian Computer Emergency Response Team (CERT-In) was reviewing existing security infrastructure of the portal. Separately, the Minister of State for Electronics and IT Rajeev Chandrasekhar said the nodal cyber security agency had reviewed the alleged breach and found that the CoWIN platform was not “directly breached.”
What does the CoWIN portal track?
CoWIN is a government-owned web portal set up in 2021 to administer and manage India’s COVID-19 vaccine rollout. The health register-style platform leverages existing public digital infrastructure like the Electronic Vaccine Intelligence Network (eVIN), an app that provides data on vaccine cold chains in the country; Digital Infrastructure for Verifiable Open Credentialing (DIVOC), a vaccine certificate issuer; and Surveillance and Action for Events Following Vaccination (SAFE-VAC), a vaccine adverse event tracker.
The platform, on a real-time basis, tracks vaccines and beneficiaries at the national, State, and district levels. It monitors vaccine utilisation and wastage, and maintains an inventory of the vials. For citizens, CoWIN verifies identity, helps schedule vaccine appointments, and issues a vaccine certificate. The database captures information flowing from four separate input streams — citizen registration; health centres; vaccine inventory; and vaccine certificates. Each stream functions independently, and at the same time exchanges data to minimise redundancies. The platform is a microservices-based, cloud-native architecture developed from the ground up on Amazon Web Services (AWS). A microservice architecture is a pattern that arranges an application as a collection of loosely linked, fine-grained services. These services interact with each other through certain set protocols.
What is the background to the data breach?
This is not the first time reports about data leaks have emerged. In January 2022, the personal data of thousands of people in India were reportedly leaked from a government server. The information included COVID-19 test results, phone numbers, names and addresses of citizens. The data could be accessed via online search. In December, in a separate security breach, an Iranian hacker claimed to be in possession of data from the CoWIN database.
Both the reports of the data leak were rubbished by the Ministry of Electronics and Information Technology (MeitY). There is no record of any investigation being carried out by CERT-In in connection with these data leaks. Even the vulnerability notes which the nodal cybersecurity agency shared on a regular basis made no reference to these breaches.
On the recent data leak, though the IT Minister said that CERT-In has completed review and found no breach in the CoWIN system, the cybersecurity agency has not directly put out any update that it is either investigating or has filed a review on the breach. However, a report in The Indian Express said the agency is in discussion with at least 11 State governments that had developed their own databases.
How did the Telegram bot get access to CoWIN-related data?
There are few ways to look into this data breach to know where things could have gone wrong. Cloud providers like AWS, Microsoft’s Azure and Google Cloud typically provide security only for the underlying infrastructure, and not for securing the applications and databases. Customers hosting their data are responsible for what they build in a cloud environment. The absence of AWS in CERT-In’s vulnerability notes last year could mean there was no security lapse at the cloud infrastructure’s end.
Also read | Free Software Movement of India demands investigation into CoWIN data breach
While the cloud offers superior security compared to traditional data centres, legacy systems deployed in virtual servers are the weak links in the chain. Such links are a perfect route for hackers to gain entry into a database. This shifts the focus to CoWIN, which was built leveraging legacy software tools. So, an entry point for those behind the bot may have been an old system that was connected to the portal.
In past data breaches, cybersecurity experts have attributed data leaks to human error or negligence in setting up databases in the cloud. Misconfiguring a system, or involvement of third-party apps with limited privacy features, could have also exposed user data to unauthorised people.
What is the larger picture?
Whatever the outcome of the CERT-In probe, the fact remains that sensitive personal data of millions of Indian citizens who signed up for the COVID-19 vaccination is in the hands of cybercriminals. It is unclear how they plan to use this information. But such leaks reveal India’s unfinished data protection business. A data protection law could be a useful tool in fixing accountability and building safeguards around the use and processing of personal data.
Also read | CoWIN data leak from a non-governmental database operated by threat actor, says Union Minister
In 2017, the Supreme Court of India recognised privacy as a fundamental right, highlighting the need to protect personal information. But the country is still struggling to frame a personal data protection policy.
