Health Ministry Refutes CoWIN Data Breach: Claims Rest On Misunderstandings

The Ministry of Health and Family Welfare has dismissed claims of a data breach on the CoWIN portal, which hosts data on Covid-19 vaccine beneficiaries.

What Happened? A Kerala-based daily on Monday alleged that they could access the personal data of vaccinated individuals via a Telegram bot using a mobile or Aadhaar number.

The ministry clarified that the portal is safe, with adequate safeguards for data privacy, including web application firewalls, anti-DDoS measures, SSL/TLS encryption, regular vulnerability assessments, and identity and access management. Only access via OTP authentication is allowed, and the ministry affirmed that all necessary steps are being taken to secure the data on the portal.

See also: Sam Altman Important Man In AI But Not ‘Last Word’ On India’s Aspirations: Rajeev Chandrasekhar

Union IT Minister Rajeev Chandrasekhar also dismissed the alleged data breach, explaining via Twitter that the accessed data originated from a threat actor database, populated with previously stolen data. He emphasised that it appears neither the CoWIN app nor its database was directly breached.

Chandrasekhar also mentioned that the finalised National Data Governance policy will standardise data storage, access, and security protocols across all government agencies soon.

The Ministry has engaged the Computer Emergency Response Team (CERT-In), India’s primary cybersecurity agency, to investigate the alleged security breach and review the existing security measures of CoWIN. In its initial findings, CERT-In noted that the Telegram bot’s backend database did not directly access CoWIN’s APIs.

Read next: UPI-Related Frauds Dominate Digital Payments Landscape In India, Report Finds

Posted In: GovernmentTechCoWINdata breachRajeev Chandrasekhar