NEW DELHI: The government on Monday asserted that the CoWin portal is completely safe with adequate data protection measures and dismissed reports of breach of data of Covid vaccine beneficiaries as “mischievous”. It said the country’s nodal cyber security agency, CERT-In, had examined the issue and found no direct breach of data.
“CoWin portal is completely safe … Indian Computer Emergency Response Team (CERT-In) had been asked to look into the issue and submit a report. CERT-In, in its initial report, has pointed out that the backend database for Telegram Bot was not directly accessing the APIs (Application-Based Interface) of the CoWin database,” the health ministry said.
Junior minister for IT and electronics Rajeev Chandrasekhar denied there was any “direct breach”, though adding that a Telegram Bot was throwing up CoWin App details from “previously stolen data”. “The data was being accessed by the Bot from a threat actor database, which seems to have been populated with previously breached data,” he said. He added a National Data Governance policy has been finalised and it will create a common framework of data storage and security standards across all of government.
Sources said the government, however, has initiated an internal exercise to review the existing security measures of CoWin. “Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWin portal,” the government said. On Monday, some posts in social media platforms claimed that data of beneficiaries had been breached using a Telegram Bot.
According to the health ministry, data stored on the CoWin platform can be accessed at three levels: the beneficiary, a CoWin authorised user and by third party applications who have been provided authorised access to the CoWin APIs. The person who has been vaccinated can have an access to the Co-Win data through use of registered mobile number with OTP authentication. About the specific claims of Telegram Bot accessing beneficiary data, the health ministry claimed that without OTP of vaccinated beneficiaries, data cannot be shared to any Bot.
Meanwhile, opposition parties demanded an inquiry into the alleged data breach. While Congress called it a case of “criminal negligence”, CPM pressed for fixing responsibility.
“CoWin portal is completely safe … Indian Computer Emergency Response Team (CERT-In) had been asked to look into the issue and submit a report. CERT-In, in its initial report, has pointed out that the backend database for Telegram Bot was not directly accessing the APIs (Application-Based Interface) of the CoWin database,” the health ministry said.
Junior minister for IT and electronics Rajeev Chandrasekhar denied there was any “direct breach”, though adding that a Telegram Bot was throwing up CoWin App details from “previously stolen data”. “The data was being accessed by the Bot from a threat actor database, which seems to have been populated with previously breached data,” he said. He added a National Data Governance policy has been finalised and it will create a common framework of data storage and security standards across all of government.
Sources said the government, however, has initiated an internal exercise to review the existing security measures of CoWin. “Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWin portal,” the government said. On Monday, some posts in social media platforms claimed that data of beneficiaries had been breached using a Telegram Bot.
According to the health ministry, data stored on the CoWin platform can be accessed at three levels: the beneficiary, a CoWin authorised user and by third party applications who have been provided authorised access to the CoWin APIs. The person who has been vaccinated can have an access to the Co-Win data through use of registered mobile number with OTP authentication. About the specific claims of Telegram Bot accessing beneficiary data, the health ministry claimed that without OTP of vaccinated beneficiaries, data cannot be shared to any Bot.
Meanwhile, opposition parties demanded an inquiry into the alleged data breach. While Congress called it a case of “criminal negligence”, CPM pressed for fixing responsibility.
