A CoWIN data breach on Telegram has shaken the internet. Reports suggest that leaked data is available on the popular social media platform Telegram, which can now be accessed by any user by entering mobile numbers. All personal information including PAN and Aadhaar card details can be accessed say reports.
The Telegram bot allows anyone to search data against phone numbers or Aadhaar for vaccine data. The details exposed shows all the information of users registered under the same number. If true, the magnitude of the leak would be massive as billions of Indians took the vaccination during the pandemic.
What the Indian Government has to say about CoWIN Data Breach on Telegram
The Government of India has denied all the reports and said that they were without any basis and mischievous in nature. “CoWIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on CoWIN portal, with web application firewall, anti-DDoS, SSL, TLS, regular vulnerability assessment, identity and access management. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” said a statement from the Indian Government.
In its preliminary report, CERT-In highlighted that the backend database for the Telegram bot did not directly connect to the APIs of the CoWIN database.
What the CoWIN Development Team has to say about CoWIN Data Breach on Telegram
The CoWIN development team has verified that there are no publicly accessible APIs that allow data retrieval without an OTP. Furthermore, certain APIs have been provided to select third parties like ICMR for data sharing purposes. Among them, there is an API that permits data sharing by using only a mobile number or Aadhaar. However, this particular API is highly specific and exclusively accepts requests from a trusted API that has been authorized and whitelisted by the CoWIN application.