Logo

Logo

CoWIN data breach: Centre says portal completely safe

The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

CoWIN data breach: Centre says portal completely safe

[Photo: CoWIN website]

Clarifying that the media reports claiming breach of data of beneficiaries who have received COVID vaccination in the country were “without any basis” and “mischievous in nature”, the Centre on Monday asserted that the CoWIN portal of the Union Health Ministry is completely safe with adequate safeguards for data privacy.

“There are some media reports claiming breach of data of beneficiaries who have received COVID vaccination in the country, on some social media platforms. These reports allege breach of data from the Co-WIN portal of the Union Health Ministry, which is a repository of all data of beneficiaries who have been vaccinated against COVID-19,” the Ministry of Health and Family Welfare said in a statement.

Certain posts on the social media platform Twitter have claimed using a Telegram (online messenger application) BOT, the personal data of individuals who have been vaccinated is being accessed. It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.

Advertisement

“It is clarified that all such reports are without any basis and mischievous in nature,” the statement said.

The CoWIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on the Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal, said the Ministry.

COWIN was developed and is owned and managed by MoHFW. An Empowered Group on Vaccine Administration (EGVAC) was formed to steer the development of COWIN and for deciding on policy issues. The former CEO National Health Authority (NHA), chaired EGVAC which also included members from MoHFW and MeitY, the statement said.

The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs that have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API that has been white-listed by the Co-WIN application, the statement further said.

The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

CERT-In in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database, the statement added.

Advertisement