In a major data breach, private information of lakhs of Indians registered on the CoWIN app to avail Covid-19 vaccination has reportedly been leaked to private players.
A Telegram bot has been giving away the names, date of birth, phone number, passport or Aadhaar numbers and any other details provided to the CoWIN app at the time of registration.
The News Minute used the bot and entered the mobile numbers of several politicians cutting across parties like Telangana's minister of information and communication technology Kalvakuntla Taraka Rama Rao (popularly known as KTR), DMK MP Kanimozhi Karunanidhi, BJP Tamil Nadu president K Annamalai, Congress MP Karti Chidambaram and former union minister of health Harsh Vardhan of the BJP.
All of them had provided their passport numbers for booking their vaccination slots. TNM further confirmed with all the politicians, except Harsh Vardhan, that their details on the Telegram bot, including their passport numbers, were authentic. Karnataka chief minister Siddaramaiah’s chief advisor KV Prabhakar had provided his Aadhaar details for registration, and he confirmed that the last four digits revealed on the bot were of his Aadhaar number.
The story was first broken by Reshma Asokan, a reporter with Fourth News, a Malayalam news portal. Fourth had entered details of Ram Sewak Sharma, chairman of CoWIN high power panel, Kerala health minister Veena George, Congress general secretary KC Venugopal and union minister of state Meenakhi Lekhi and found their details.
When TNM reached out to RS Sharma, the chief executive officer of the National Health Authority, who had vouched for CoWIN to be “safe and secure” in January last year, he refused the possibility of a breach. “How can there be a breach of data? Give me the proof, because when you enter a phone number, the One Time Password (OTP) comes only to that phone number. It is not possible for anyone to access others’ details.”
How does the Telegram bot work?
On June 12, a TNM reporter joined a Telegram channel named Hak*****. Only those who join this channel can access the details from the bot. The Telegram bot called truecaller***** revealed the information on entering the phone number or Aadhaar details.
The bot also gave details of everyone who were registered for the vaccination using the same number. In Kanimozhi’s case, the passport number of her son too was available. A TNM journalist who had registered for three people’s vaccination under her CoWIN registration ID confirmed that the details given away by the bot were precise. The bot was taken down around 9 am on Monday.
Initially, the Telegram bot gave away the complete Aadhaar number of individuals, but later it only showed the last four digits. The immediate consequence of the Telegram bot is that those who have phone numbers of individuals can access their name, gender, ID data (passport number or Aadhaar ID), location of first dose of the Covid-19 vaccine and date of birth (although it seems to be wrong in many instances). The larger implications are far more worrying, for it raises questions on how much data has been leaked, who has access to it, and how the data is being used.
‘Digital public infrastructure disaster’
“CoWIN data leak appears to be the largest data breach and is a digital public infrastructure disaster exposing date of birth and family relationship data of everyone who took a jab within the first billion doses,” said Srikanth L, from Cashless Consumer, a consumer awareness collective.
“Financial regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) must issue guidelines to regulated entities like banks and mutual funds to avoid any sensitive operation using date of birth to prevent fraudsters from exploiting the common man.” However, it is to be noted that people who have not provided their date of birth at the time of registering on CoWIN, and had only opted to provide the year of their birth, have been assumed by the bot to have been born on January 1 of their respective birth year.
This is, however, not the first time that such a leak has been reported. In June 2021, a hacker group named 'Dark Leak Market' had claimed that it had the database of about 15 crore Indians who registered themselves on the CoWIN portal.
At that time, Sharma had said, “We wish to state that CoWIN stores all the vaccination data in a safe and secure digital environment. No CoWIN data is shared with any entity outside the CoWIN environment. The data being claimed as having been leaked, such as the geo-location of beneficiaries, is not even collected at CoWIN."
TMC spokesperson Saket Gokhale also accessed the details of several politicians and journalists on the Telegram app.
This report was republished from The News Minute as part of The News Minute-Newslaundry alliance. Read more about our partnership here.
Newslaundry is a reader-supported, ad-free, independent news outlet based out of New Delhi. Support their journalism, here.