CoWIN Portal Completely Safe, Data Leak Reports Are Mischievous In Nature: Centre

The Centre on Monday said that the Co-WIN portal of the Health Ministry is completely safe with safeguards for data privacy and the reports of data breach are without any basis and "mischievous in nature."

Reports had claimed that the personal details of vaccinated people were leaked on the social media application Telegram. It was claimed that the personal information of senior politicians and journalists including their mobile numbers, Aadhaar numbers, Passport numbers, Voter IDs, and details of family members were freely available on the portal.

Further, it was reported that the bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.

Responding to the reports, the Ministry of Health said, "It is clarified that all such reports are without any basis and mischievous in nature. The co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on the Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity and Access Management etc."

The Centre stated that only OTP authentication-based access to data is provided and all steps have been taken and are being taken to ensure the security of the data in the CoWIN portal.

The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application, the press release stated.

The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

The CERT-In in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database.