COWIN’s Data Breach: Risking the Security and Privacy of Our Citizens
Kiran Chandra
THE leak of personal and sensitive data of the people registered on the COWIN vaccination portal makes clear that its database has been breached. Personal and sensitive data of individuals, including name, gender, date of birth, address, Aadhaar number, mobile number and the location of their vaccination centre, all of which can be accessed through a Telegram bot got leaked. The data of well-known names have been made public, including where and when they were vaccinated. The bot, which has now been shut down, was showing people's personal details on entering the phone number through which they had signed up for the COWIN portal.
Registering on the COWIN web portal was mandatory for Covid-19 vaccination, and we could be vaccinated only after signing up either through the COWIN App or through the website. Newspaper reports suggest that the data includes four crore children between the age of 12-14 and more than 37 crore people over the age of 45, a significant part of which would be senior citizens. More than 100 crores (one billion) people registered for vaccination through COWIN, making this one of the worst data breaches in the world.
The details of some of the prominent individuals now available in the public domain include senior BJP leader Meenakshi Lekhi, the Congress general secretary KC Venugopal, Kerala health minister Veena George, Rajya Sabha members Abhishek Manu Singhvi and Sanjay Raut, former union minister P Chidambaram and many others. The case of Ram Sewak Sarma, chairman of the COWIN panel, is particularly interesting as he had earlier claimed that the Aadhaar database was fully secure. Here, he did not give his Aadhaar ID but submitted his passport as ID proof.
Though the Telegram bot has now been shut down, the data the bot was accessing is still out there. Shutting down the bot does not mean that the database it was using has also been deleted. It exists in spaces that are beyond the control of the government.
Rajeev Chandrasekhar, the minister of state for electronics and information technology, has stated that the COWIN database itself has not been breached, but only a Telegram bot was throwing up COWIN app data on the entry of phone numbers. For the public at large, it only creates further questions: 1) Was the COWIN database hacked previously, and its hacked data is now available through this Telegram bot? 2) When was the COWIN database hacked, and if the government was aware of it? 3) If the COWIN data was indeed hacked earlier, what steps has the government taken? 4) When was the CERT-In called to investigate this data breach?
In any case, it is no consolation for the people that their COWIN data was hacked sometime back and not recently. It only confirms that, indeed, there is now, or was in the past, a COWIN data breach and the private data of Indian citizens is now available in public. All claims of no data breach now are only to duck the issue. Denying a current breach of data on the basis that it was breached earlier is no consolation for the citizen. Neither does it absolve the government of its responsibility of protecting our personal data as its custodian.
The second claim made by the government is that the COWIN data can only be obtained in very few ways. One is a COWIN-authorised user who can use a beneficiary dashboard or API-based access, which requires an OTP validation. The other way is through authentic login credentials, which the COWIN system tracks and keeps a record of each time an authorised user accesses. The ministry also states that there is one particular API (application program interface which allows interaction between two applications) that has a feature of sharing the data, and such requests are only accepted from a trusted API white-listed by the COWIN application.
The government's replies only raise further questions. How many such Apps had been white-listed? Is the government not aware that more such white-listed apps, the more the chance of a data breach? What is to prevent such a white-listed app from being hacked and making repeated accesses, and gathering more and more data? Was there a serious security audit of such apps? Considering our privacy is recognised as a fundamental right, what steps has the government been taking? This is particularly so, as the government wants big Indian businesses to access our data for its business purposes.
If we go by the reasoning of the government, it appears to be saying that the COWIN data breach had gone unnoticed by the government. This raises serious questions about the entire architecture of the COWIN system and the serious lapse in minimum cyber security practices.
It is important to note that this data breach is not the first of its kind. In the recent past, there have been a series of data breaches in a number of cases, such as Big Basket, Air India, and MobiKwik data leaks which are a few among them. The citizen's Covid-19 test results were being published by the BBMP (Bruhat Bengaluru Mahanagara Palike) without adequate security, making it vulnerable to a data breach. It is here that the CERT-In should have stepped in to prepare our cyber security infrastructure and strengthen it, and prevent such data breaches. At the least, it is the CERT-In's duty to inform the public about the existing threats, data breaches and leaks so that citizens may take some steps to secure their personal data.
Organisations like the Free Software Movement of India (FSMI) and digital rights organisations have been raising concerns since the conceptualisation of the Health Stack and COWIN, and how sensitive information, such as health information of the country, is being handled: from collection, storage, and its third-party integration. Without such elementary measures regarding the safety of people's data, India's dreams of becoming a data superpower with its various apps will only remain a pipe dream.
or reload the browser
