Bihar Man, Juvenile Arrested By Delhi Police Over Alleged CoWin Portal Data Leak

A man has been arrested in Bihar by the Intelligence Fusion & Strategic Operations, (IFSO) of Delhi Police in connection with the alleged leak of data in the CoWIN portal -- the country's Covid-19 vaccination tracking platform. It is alleged that the man leaked sensitive personal details of politicians, bureaucrats, and others on the social media platform Telegram. The Delhi Police has also said that the man's mother worked as a healthcare worker in the state. The mother helped her son to gather data from the CoWIN portal, police said. A juvenile has also been apprehended in connection with the case, the Special Cell of Delhi Police said.

Last week, reports surfaced on a purported breach of data of beneficiaries registered on the CoWIN platform. The data had been accessed by a Telegram bot which revealed data such as gender, DOB, Aadhar card, ID, passport numbers, cellphone numbers, address, centre for vaccination etc.

“The accused was identified using technical surveillance. He was arrested from his residence in Bihar. We suspect he took his mother’s help to breach the system. He created a bot and shared it on Telegram. We know he was not selling the data to anyone in particular. He tried hacking the system and was successful. When he realised he could put all the data online, he did. We don’t think he had any other ulterior motives,” said a police officer.

The alleged leak put at risk over 100 core individuals who have registered on the CoWIN portal to get vaccinated against COVID-19 and to download their vaccination certificates. The users include more than 4 crore children between the age of 12-14 and over 37 crore people over the age of 45.

Meanwhile, the Health Ministry said it is completely safe with adequate safeguards for data privacy and claimed that the media reports about a breach of data of beneficiaries who have received COVID vaccination in the country as "mischievous in nature". The ministry claimed, "Security measures are in place on CoWIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity and Access Management etc. Only OTP authentication-based access of data is provided."

The Health Ministry said that the access to CoWin data was available at three levels -- beneficiary dashboard, authorised user and API-based access. The government made it cleared that without an OTP, the vaccinated beneficiaries' data cannot be shared to any Bot.

The Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report.

"An internal exercise has been initiated to review the existing security measures of CoWIN. CERT-In, in its initial report, has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database," the statement said.