Government refutes claims of CoWIN data breach; CERT-In reviews matter

The Centre on Monday refuted reports of an alleged data breach in the Health Ministry’s CoWIN platform and said that it is completely safe with adequate safeguards for data privacy.

Terming these news reports were "mischievous" and "without any basis," the Union Health Ministry has said that the matter has been reviewed by the country's nodal cyber security agency, CERT-In.

Earlier in the day, it was reported that an automated account on messaging platform Telegram was allegedly sharing sensitive personal information of Indian citizens — including their Aadhaar and passport numbers — who signed up for the CoWIN portal.

The CoWIN portal was developed and is owned and managed by the Ministry of Health and Family Welfare, and is a repository of all data of beneficiaries who have been vaccinated against Covid-19.

Also Read | TMC leader Saket Gokhale alleges data breach of several politicians, journos who took Covid jab

The Health Ministry, in its clarification, said that "all such reports are without any basis and mischievous in nature. The CoWIN portal is completely safe with adequate safeguards for data privacy."

Furthermore, security measures are in place on the CoWIN portal with web application firewall, regular vulnerability assessment, and Identity and Access Management, the Ministry said, adding that an internal exercise has been initiated to review the existing security measures.

"Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal," the ministry said.

"CERT-In in its initial report has pointed out that the backend database for Telegram bot was not directly accessing the APIs of the CoWIN database," the statement said.

In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

Separately, Union Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said the Indian Computer Emergency Response Team (CERT-In) immediately responded and it does not appear that the CoWIN app or database has been directly breached.

The news report said that the alleged leak could impact more than 100 core individuals who have secured vaccinations after signing up through the CoWIN portal. This includes more than 4 crore children between the age of 12-14 and over 37 crore people over the age of 45, a significant part of which could be senior citizens.

Meanwhile, the CPI (M) demanded a probe on the allegation and said those responsible for such a major breach in the security of personal information of Indians must be identified, followed by deterrent action.