CoWIN, the portal for India’s COVID-19 vaccination program, was reported in June 2023 to have suffered a data leak, leading to concerns about the security of citizens’ information. However, the government’s statements in response to the incident have raised more questions than they have answered. In this article, we delve into this development from the perspective of the IAS exam.
CoWin Data Leak Government’s Defense
The Ministry of Health outlined three ways in which data can be accessed on CoWIN: through an OTP sent to the user’s mobile number, by authorized vaccinators whose access is logged, or through third-party applications with authorized access to CoWIN APIs.
- The government claimed that without an OTP, data cannot be shared with the Telegram bot in question. It also stated that CoWIN only collects the year of birth, not the complete date of birth, and does not capture a person’s address.
- The government emphasized that the alleged breach did not directly target the CoWIN app or database but involved previously breached databases containing unrelated data.
Uncertainty Regarding Breach:
- The government did not explicitly clarify whether the CoWIN database had been breached recently or in the past. Its explanation centred on the fact that real-time scraping of data from CoWIN was not possible without an OTP or an authorized vaccinator’s access.
- The government did not address the bot’s ability to accurately retrieve citizens’ data linked to a specific phone number or why the details provided by the bot were specific to the CoWIN database.
- The government acknowledged the existence of an API that allows data sharing without an OTP, but it provided no details about the trusted API or why it bypasses the OTP mechanism.
Concerns Raised:
- The government has yet to receive a final report from CERT-In, the nodal cybersecurity agency, on the incident. Therefore, it is premature to definitively dismiss the possibility of a breach until CERT-In’s report is released.
- If the government’s claim that the bot used a database prepared with previously breached information is accurate, it raises concerns about the accuracy of Aadhaar details linked to mobile numbers. The government has never publicly acknowledged a breach of Aadhaar data.
- The Health Ministry has requested CERT-In to investigate the issue and provide a final report. The Minister of State for Electronics and IT announced the finalization of the National Data Governance policy to establish a common framework for data storage, access, and security across government platforms.
Conclusion: Overall, the government’s statements regarding the CoWIN data leak have left several key questions unanswered. It remains unclear whether the CoWIN database itself was breached, how the bot accurately retrieved citizens’ data, the role and purpose of the trusted API, and the status of CERT-In’s investigation. The incident underscores the need for robust data protection measures and greater transparency regarding data breaches in India’s digital infrastructure.
CoWIN Data Leak:- Download PDF Here
Related Links | |||
Cyber security | Information Technology Act, 2000 | ||
Digital India | National Cybersecurity Policy | ||
Cybercrime | Arogya Setu |
Comments