The government has refuted reports of user data being leaked from the CoWin portal and sold on the dark web, though it has launched an investigation into the issue out of caution.
Reports of an alleged hack of the vaccination site surfaced on Thursday, with pictures of a website on the dark web that claimed to be hawking the names, mobile numbers, Aadhaar IDs and location data of 15 crore vaccinated citizens.
[ALERT] Dark Leak Market on the DarkWeb has posted a post selling information of 150 Million COVID19 Vaccinated People of India. pic.twitter.com/32Chmcao9W
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) June 10, 2021
"There have been some unfounded media reports on the CoWin platform being hacked. Prima facie, these reports appear to be fake," a statement issued by the Union health ministry said.
Union Health Minister Harsh Vardhan also rubbished the reports, saying that all vaccination data was stored in a “secure digital environment”, but said an emergency response team of the Ministry of Electronics and Information Technology would look into the matter just to be safe.
Reports of #CoWIN platform being hacked, prima facie appear to be fake.
— Dr Harsh Vardhan (@drharshvardhan) June 10, 2021
Out of abundant precaution, emergency response team of @GoI_MeitY is investigating the matter.
Data speculated to have been leaked such as geo-location of beneficiaries, is not even collected on Co-WIN.
What do the experts believe?
Cybersecurity researcher Rajshekhar Rajaharia has backed the government’s assertion, saying the leak was completely fake and a Bitcoin scam that was set up to swindle unsuspecting buyers out of up to $800.
Rajaharia also posted pictures to prove that the website had regularly been posting fraudulent “leaked” datasets, including data from Tata Communications and SBI YONO, which were never hacked; Upstox and Mobikwik user data, which were not available on the dark web.
[Alert] #CowinPortal Not Hacked!! Some Fake #DarkwebLeakMarket are claiming to sell data of 150 Million COVID19 Vaccinated People of India. It's completely fake. It's a Bitcoin Scam. Don't Trust. Check Screenshots. They are listing fake leaks. #Infosec @journoprasoon @ETtech pic.twitter.com/c39IGDT4dz
— Rajshekhar Rajaharia (@rajaharia) June 10, 2021
However, some cybersecurity experts are still concerned that the site’s security protocols were not impenetrable and suggested that the government err on the side of caution.
Apar Gupta, who runs the Internet Freedom Foundation (IFF), said the government should not take the claim lightly and implored the response team to investigate the breach thoroughly.
It is necessary for @IndianCERT to step in. This is critical data leak. It must be fairly and independently verified, the issue causing it and accountability must be fixed. We must resist the temptation to issue a blanket denial. Investigate, verify, please! https://t.co/L3InzoffRA
— Apar (@apar1984) June 10, 2021
The IFF had earlier this year filed a Right to Information (RTI) petition regarding the kinds of data the Cowin portal stored and what its privacy policy was. The government said it would receive names, genders, dates of birth, photo IDs, and mobile numbers but refused to outline a privacy policy and did not disclose which ministries and departments in the government will have access to the data on the CoWin platform.
The data it says it will collect will be your name, gender, date of birth, photo ID, and number.
— Internet Freedom Foundation (IFF) (@internetfreedom) March 18, 2021
National, State, and District level admins will have access to use the app, but there is not much further clarity on this point.
But most importantly...
4/n
Deccan Herald is on WhatsApp Channels| Join now for Breaking News & Editor's Picks