Delhi, India (12 June) Media claims suggesting breach of data of beneficiaries who have got COVID vaccination in the country have been dismissed as “mischievous in nature” by the Centre, which on Monday claimed the CoWIN site of the Health Ministry is totally secure with necessary measures for data privacy.
There have been media reports alleging a social media site had a data breach involving recipients who got the COVID immunisation in the country. The Union Health Ministry’s Co-WIN site is a storehouse for all data of beneficiaries who have been vaccinated against COVID19, and these complaints suggest a breach of this data, the statement stated. Some tweets have made claims that private information on vaccinated people is being obtained by a BOT on the messaging service Telegram. It has been stated that the BOT may retrieve personal information given a beneficiary’s cell phone number or Aadhaar number.
All such rumours, the statement makes clear, have no foundation and are malicious. The Health Ministry’s CoWIN interface has full security and privacy protections. Web Application Firewall, Anti-DDoS, SSL/TLS, frequent vulnerability assessment, Identity & Access Management, etc. are only some of the additional security measures in place on the Co-WIN site. Data access is restricted to one-time passwords (OTPs). All possible measures have been and are being taken to guarantee the safety of the information stored in the CoWIN site.
MoHFW is responsible for both the creation and maintenance of COWIN. The creation of COWIN was guided by the Empowered Group on Vaccine Administration (EGVAC), whose members make decisions on policy matters and direct the project’s direction. According to the statement, the previous CEO of the National Health Authority (NHA) presided over EGVAC, which also comprised representatives from MoHFW and MeitY.
Currently, there are three tiers of access to Co-WIN data on vaccinated beneficiaries.
Beneficiary dashboard—The vaccinated individual may view their Co-WIN data by entering their registered mobile number and authenticating with a one-time password.
The vaccinator has access to the private information of vaccinated individuals if they utilise the valid login credentials given by Co-WIN. However, the COWIN system monitors and logs each time a valid user logs in.
Third-party apps with allowed access to the Co-WIN APIs may see individual-level data on vaccinated beneficiaries, but they must first authenticate using the beneficiaries’ one-time passwords (OTPs).
Information about vaccination recipients cannot be sent to any BOT without an OTP.
It seems that media postings have reported that BOT also BOT mentioned date of Birth (DOB) but in fact just the year of birth (YOB) is collected for adult immunisation.
There are no public APIs in COWIN where data may be retrieved without an OTP, as verified by the development team. Some application programming interfaces (APIs) have also been made available to other parties like ICMR in order to facilitate data exchange. One such API reportedly allows data exchange by phone call using just an Aadhaar number. However, even this API has strict requirements, since queries are only allowed from whitelisted APIs when using the Co-WIN software.
The Indian Computer Emergency Response Team (CERT-In) has been asked to investigate this problem and report back to the Union Health Ministry. In addition, a simulation has been launched to assess the current state of CoWIN’s security.
In its first assessment, CERT-In noted that the Telegram bot’s backend database did not directly access the CoWIN database’s APIs.
