CoWIN Data Breach: Government Responds, Says no Direct Breach of CoWIN App or Database

The government on Monday responded to reports of an alleged data breach of the CoWIN database, stating that the data appeared to have been sourced from a different database containing information stolen in the past. The response follows reports that an automated bot on Telegram was surfacing personal details of people who had registered with the CoWIN platform to receive COVID vaccinations during the pandemic. The government has also claimed that it did not appear that the CoWIN app or database had been directly breached.

Hours after reports of the alleged data breach, Minister of State for Electronics and Technology Rajeev Chandrasekhar stated on Twitter that the Indian Computer Emergency Response Team (CERT-In) had responded and reviewed the reports of breaches that surfaced on social media on Monday. The minister stated a Telegram bot was sharing CoWIN app details when a phone number was entered. The bot was reportedly taken down shortly after it was discovered and covered by news outlets on Monday.

According to Chandrasekhar, the bot was accessing data from a threat actor database. The information available in this database appears to have been sourced from data stolen in the past from an older breach. However, the minister did not share additional details of the previous breach, including whether it was another government entity, whether it was detected before Monday. and whether it was disclosed by CERT-In.

In his tweet, Chandrasekhar also stated that it did not appear that either the CoWIN app or database were directly breached. The minister has not revealed details of how the CoWIN details of users who registered with the platform were available when both the CoWIN app and website were not directly affected by a data breach. 

Meanwhile, the government issued a press release stating that CoWIN data access was available at three levels — the vaccine recipient, the authorised vaccinator, and third-party applications that had API-based (application programming interface) access that only works via user one-time password (OTP) authentication. The government states that the platform logs each attempt by an authorised vaccinator to access the CoWIN system.

The government also states that data from the CoWIN platform could not be shared to an automated bot without an OTP sent to the vaccine recipient as there was no public API with such a level of access. Similarly, the system did not record a recipient’s address and only recorded the year of birth for vaccination, unlike the posts shared on social media that show the bot responded with the vaccine recipient’s date of birth.  

CoWIN’s development team also confirmed that some APIs were shared with third parties like the Indian Council for Medical Research (ICMR) and requests were only accepted by a trusted API whitelisted by the CoWIN application — which suggests there was at least one API that could access data without an OTP. CERT-In has been asked by the Union Health Ministry to investigate the issue and submit a report on its findings, according to the government.