Aadhaar, Phone Numbers Leaked in Massive CoWIN Data Breach: Report

In a major data breach, information of lakhs of Indians who took COVID-19 vaccinations after registering on the CoWIN app seems to have been leaked on Monday.

A Telegram bot provided the name, date of birth, gender, phone number, passport or Aadhaar number, ID card used for vaccination, the vaccination centre’s name and the number of doses of a person registered with the app if his/her mobile number was entered, according to a story broken by Malayalam news portal The Fourth News.

The Fourth News found the details of CoWIN chairman RS Sharma, Kerala health minister Veena George, Congress general secretary KC Venugopal and Union minister of state for external affairs Meenakhi Lekhi using the bot.

Initially, the bot, taken down by 9 am, gave away the complete Aadhaar number but eventually showed only the last four digits.

The Aadhaar card, voter ID and PAN card numbers of lakhs of Indians were accessible to anyone on Telegram, The News Minute (TNM) reported.

Trinamool Congress (TMC) spokesperson Saket Gokhale tweeted that the details of several politicians and journalists were leaked: Rajya Sabha MP and TMC Leader Derek O’Brien, former Union minister P Chidambaram, Congress leaders Jairam Ramesh and Venugopal, Rajya Sabha deputy chairman HN Singh, Rajya Sabha MPs Sushmita Dev, Abhishek Manu Singhvi and Sanjay Raut, and journalists Rajdeep Sardesai (India Today), Barkha Dutt (Mojo Story), Dhanya Rajendran (TNM) and Rahul Shivshankar (Times Now).

SHOCKING:

There has been a MAJOR data breach of Modi Govt where personal details of ALL vaccinated Indians including their mobile nos., Aadhaar numbers, Passport numbers, Voter ID, Details of family members etc. have been leaked & are freely available.

Some examples 👇

(1/7)

— Saket Gokhale (@SaketGokhale) June 12, 2023

Using the bot, TNM obtained the details of Telangana’s IT and communications ministry KTR Rao, DMK Lok Sabha member Kanimozhi Karunanidhi, BJP Tamil Nadu president K Annamalai, Congress Lok Sabha Karti Chidambaram and verified them. Karnataka chief minister Siddaramaiah’s chief adviser KV Prabhakar confirmed his Aadhaar number.

A TNM reporter joined a Telegram channel named Hak*****. on June 12—only users of these channel could access the details from the bot. The bot, called truecaller*****, allowed the option of either entering the mobile or Aadhaar number. If the mobile number is registered, the details appear as the next message.

Besides, the Telegram bot also provided details of everyone registered for vaccination using the same number. In Kanimozhi’s case, her son’s passport number was available as well. For example, a TNM journalist who had registered for three people’s vaccination under her CoWIN registration ID confirmed that the leaked details were correct.

“CoWIN data leak appears to be the largest data breach and is a digital public infrastructure disaster exposing date of birth and family relationship data of everyone who took a jab within the first billion doses,” Srikanth L, from Cashless Consumer, a consumer awareness collective, told TNM.

“Financial regulators such as the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI) must issue guidelines to regulated entities like banks and mutual funds to avoid any sensitive operation using date of birth to prevent fraudsters from exploiting the common man,” he added.

However, Sharma, who had vouched for the safety and security of CoWIN in January 2022, refuted the breach. “How can there be a breach of data? Give me the proof. Because when you enter a phone number, the one-time password comes only to that phone number. It is not possible for anyone to access others’ details,” he told TNM.

#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit.

— Dr. RS Sharma (@rssharma3) January 21, 2022

When a hacker group called Dark Leak Market claimed to have hacked the details of 15 crore Indians on CoWIN in June 2021, Sharma had claimed that “CoWIN stores all the vaccination data in a safe and secure digital environment. No CoWIN data is shared with any entity outside the CoWIN environment. The data being claimed as having been leaked, such as the geo-location of beneficiaries, is not even collected at CoWIN.” 

Portal Safe, CERT to Look Into CoWIN Data Breach Issue: Health Ministry

The Union Health Ministry on Monday said reports claiming breach of data of beneficiaries registered on the CoWIN platform were "without any basis", and that it has requested the country's nodal cyber security agency CERT-In to look into the issue and submit a report.

While asserting that the CoWIN portal is completely safe with adequate safeguards for data privacy, it said an internal exercise has been initiated to review the existing security measures of CoWIN.

There are reports alleging breach of data from the Co-WIN portal of the Union health Ministry, which is repository of all data of beneficiaries who have been vaccinated against COVID19, the health ministry said in a statement, according to PTI.

"It is clarified that all such reports are without any basis and mischievous in nature.  Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy," it said.

 The ministry, however, said it has requested the Indian Computer Emergency Response Team (CERT-In) to look into the issue and submit a report.