CoWIN Data ‘Leak’

Source: By Soumyarendra Barik: The Indian Express

Following reports that CoWIN data had been accessed by a Telegram bot, the Minister of State for Electronics and IT Rajeev Chandrasekhar said the Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency, had reviewed the alleged breach and has found that the CoWIN portal was not “directly breached”. The data – including citizens’ Aadhaar and passport numbers – that an automated account on Telegram was allegedly sharing was done using previously breached databases, he said.

The Health Ministry issued a press release on 12 June 2023 where it essentially ruled out CoWIN’s APIs (short for application programming interface that helps two applications share data with each other) being used by the Telegram bot. The responses from the government raise more questions than they answer. Here is an explainer:

The Centre’s Defence

The Ministry of Health press release first lays out the three ways in which data on CoWIN can be accessed: 
1. A user can access their data on the portal through a one time password (OTP) sent to their mobile number.
2. A vaccinator can access data of a person, and the CoWIN system tracks and records each time an “authorised” user accesses the system.
3.Third party applications that have been provided authorised access of CoWIN APIs can access personal level data of vaccinated people after OTP      authentication.

Then it claims that without an OTP, data cannot be shared with the Telegram bot. Some reports said that the bot also showed people’s date of birth, but the Ministry said that CoWIN only collects their year of birth and that there is no provision to capture a person’s address on CoWIN. It also said that there is one API that has a feature of sharing the data by using just a mobile number. “However, even this API is very specific and the requests are only accepted from a trusted API which has been whitelisted by the CoWIN application”.

Chandrasekhar, in a tweet, said the CERT-In had reviewed the alleged breach, and the data being accessed by the Telegram bot was from a “threat actor database”. He said that the database “seems to have been populated with previously breached data”, which was not related to CoWIN. “It does not appear that the CoWIN app or database has been directly breached,” Chandrasekhar added.

But was there a breach?

The Ministry has not explicitly clarified whether or not the CoWIN database was breached recently or in the past.

Its entire explanation hinges on the fact that the only way to access CoWIN’s system is either through an OTP or through a vaccinator whose access is logged. While the Ministry said that it has adequate security measures to protect CoWIN’s database, at no point has it said the database itself has not been impacted. This only leaves the possibility that the Telegram bot was not scraping data from CoWIN in real time.

The Ministry’s statement also does not offer any insight against the assertions that the Telegram bot was able to accurately retrieve citizens’ data linked to a particular phone number, and why the details offered by the bot were specific to the CoWIN database, including place of vaccination, ID used etc. Then, the Ministry has admitted that there is at least one API for which an OTP is not a necessity for data sharing. While this API only accepts requests from a “trusted API” that has been “whitelisted” by the CoWIN system, there is no clarity on what this trusted API does and why it has been afforded the privilege of bypassing the entire OTP mechanism.

Besides, the Ministry is yet to receive a final report on the incident from CERT-In on the issue. As such, it would be premature to disprove a breach until CERT-In explicitly states that in its report. If one were to go by the government’s second reasoning that the database which the Telegram bot was using was prepared with information leaked in previous breaches that too, raises some concerns.

Chief among them is the Aadhaar details corresponding to a person’s mobile number – the government have never publicly acknowledged whether Aadhaar data has ever been hacked. In fact, in 2018, former IT Minister Ravi Shankar Prasad had said in Parliament that Aadhaar’s security “cannot be broken even with the billionth effort”. It is unclear then how the bot could accurately display people’s Aadhaar numbers corresponding to their mobile numbers.

Next steps

The Health Ministry has asked CERT-In to look into this issue and submit a final report. Chandrasekhar said the National Data Governance policy has been finalised that will create a common framework of data storage, access and security standards across all of the government. Queries sent to CERT-In on the issue did not elicit a response.