Oppn parties demand inquiry after claims of CoWIN data breach

Opposition parties on Monday demanded an inquiry into claims about a breach of data of citizens registered on the CoWIN platform and asked the government to take deterrent action.

The government has termed such reports "mischievous" and "without any basis", while asserting that the CoWIN portal is completely safe with adequate safeguards for data privacy.

Rajeev Chandrasekhar, the Union Minister of State for Information Technology, said the Indian Computer Emergency Response Team (CERT-In) responded immediately after the alleged leak.

Also Read: Government refutes claims of CoWIN data breach; CERT-In reviews matter

It does not appear that the CoWIN app or database were directly breached, he said.

But the Congress demanded a high-level judicial probe into the entire data management apparatus of the government to identify the "extent of danger" posed to privacy of all Indians.

Congress general secretary (Organisation) K C Venugopal said the duty of any entity, especially the government, is to protect individual privacy above everything else.

"It is clear that no citizen can trust this government with its private information. Only an impartial, high-level judicial probe into the government's entire data management apparatus can identify the extent of danger that is posed to our privacy as a result of this government's carelessness," Venugopal said on Twitter.

He also hit out at Union Minister of State for Electronics and Technology Chandrasekhar, saying, "I am appalled at your casual response to the breach of privacy of 1.4 billion Indians."

Congress general secretary in-charge communications Jairam Ramesh said the personal data breach is a "very grave matter" with serious implications for privacy, security and makes us all vulnerable to financial frauds.

Hitting out at Chandrasekhar, he said, "The tech-savvy Minister instead of issuing casual WhatsApp forward style tweets should hold a Press Conference at the earliest and clarify at the very least: What he means by 'previously stolen data stolen in the past' — stolen from which database, when, and what action was taken?

"If CoWIN database hasn't been 'directly breached', is the Minister then accepting that it is an indirect breach? What other databases are linked to the CoWIN database that has led to this vulnerability?" Ramesh said.

"What immediate steps is the Modi government taking to secure the personal data of crores of Indians who trusted the govt to keep their details safe," he asked.

Congress leaders also alleged it was a case of "criminal negligence" and asked why the government was sitting on a data protection law.

"In its Digital India frenzy, GoI has woefully ignored citizen privacy. Personal data of every single Indian who got the COVID-19 vaccination is publicly available. Including my own data. Who let this happen? Why is GoI sitting on a data protection law?" Congress MP Karti Chidambaram said.

Minister of Electronics and Information Technology Ashwini Vaishnaw must answer, he said.

TMC national spokesperson Saket Gokhale also attacked Vaishnaw. "This is a matter of serious national concern. And predictably, the Minister-in-charge of this is Ashwini Vaishnaw who heads the Electronics, Communications, and IT portfolios in addition to Railways. How long will incompetence of Ashwini Vaishnaw be ignored by PM Modi?" he said.

In a statement, the CPI(M) demanded a thorough inquiry. "This is of serious concern and an infringement of the right to privacy which was declared by the Supreme Court as a fundamental right of all Indians.

"CPIM demands a thorough investigation be conducted and those responsible for such a major breach in the security of personal information of Indians must be identified followed by deterrent action," the Left party said.

CPI(M) general secretary Sitaram Yechury said, "Shocking and damning. Mega data breach from the CoWin portal. Personal details of all vaccinated accessible in public domain. Thorough investigation essential & the guilty punished stringently."

Gokhale claimed that individuals whose personal data has been breached include several opposition leaders like Rajya Sabha MP and TMC leader Derek O'Brien, former Union minister P Chidambaram, Congress leaders Jairam Ramesh and KC Venugopal and Rajya Sabha MPs Sushmita Dev, Abhishek Manu Singhvi, and Sanjay Raut. He also named several journalists.

"Why is the Modi government including Home Ministry not aware of this leak and why haven't Indians been informed about a data breach?" he said.

Minister Chandrasekhar said the National Data Governance policy has been finalised that will create a common framework of data storage, access and security standards in the country.

He issued a four-point tweet, asserting in the second point that "the data being accessed by bot from a threat actor database, which seems to hv been populated wth previously stolen data stolen in the past".

Reacting to it, Gokhale asked if the minister is "admitting there was a breach in Cowin in the past and data was stolen".

The minister later issued another tweet clarifying his earlier post. "Since some queries hv been raised - am reiteratng @IndianCERT finding - tht Point number 2 in my tweet refers to previously breached or stolen data from databases other than CoWIn."

The CoWIN was developed and is owned and managed by the Ministry of Health and Family Welfare. At present, the Health Ministry said in a statement, individual-level vaccinated beneficiary data access is available at three levels. "Without OTP, vaccinated beneficiaries' data cannot be shared to any BOT," the ministry said.