In a concerning development, the CoWIN database, used for COVID-19 vaccination registration in India, has been allegedly exposed on the messaging platform Telegram, triggering a data breach. The Indian government has launched an investigation into the matter to ascertain the extent of the breach and identify the responsible parties.
The data breach appears to be possible by entering a person’s mobile number into the system. Once the number is provided, the Telegram bot in question instantly replies with sensitive details, including the identification number of the document submitted for vaccination (such as Aadhaar, passport, PAN card, etc.), gender, date of birth, and the vaccination center. Shockingly, even if the Aadhaar number was used instead of the phone number, the personal information could still be accessed. Furthermore, the leak reportedly exposed passport numbers of individuals who had updated the CoWIN portal for international travel.
CoWIN Database Exposed on Telegram: Government Launches Investigation into Data Breach
The leaked information has now become public, revealing the details of prominent individuals. The data breach includes the identification documents submitted by Ram Sewak Sarma, the chairman of the CoWIN high-power panel, as well as the vaccination center locations for senior BJP leader Meenakshi Lekhi, Congress general secretary K.C. Venugopal, and Kerala Health Minister Veena George.
Notably, the Telegram bot also disclosed personal information about several opposition leaders, including Rajya Sabha MP and TMC leader Derek O’Brien, former Union Minister P. Chidambaram, Congress leaders Jairam Ramesh and Abhishek Manu Singhvi, Deputy Chairman Rajya Sabha Haribansh Narayan Singh, Rajya Sabha MPs Sushmita Dev and Sanjay Raut, among others. TMC spokesperson Saket Gokhale accessed the details of numerous politicians and journalists to draw attention to the security lapse. Although the bot has been taken down, there are concerns about its potential return.
The CoWIN platform issues vaccination certificates to beneficiaries, which have served as vaccine passports during the pandemic and can be stored in DigiLocker. Users can access the platform via desktops, tablets, and mobile phones.
Despite claims of a “state-of-the-art secure infrastructure” and no previous breaches, health authorities have faced scrutiny regarding the leaks. In June 2021, a hacker group named ‘Dark Leak Market’ had purportedly claimed possession of a database containing information of approximately 150 million Indians registered on the CoWIN portal. However, health authorities dismissed these claims at the time.
The current breach raises serious concerns about data privacy and the security of sensitive personal information within vaccination registration systems. The government’s investigation aims to address the breach, hold responsible parties accountable, and implement necessary measures to prevent future incidents.