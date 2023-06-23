A man was arrested and a boy detained by the Delhi Police on Thursday in connection with the purported leak of CoWIN data, people familiar with the matter said, adding that the juvenile was the son of a healthcare worker whose credentials were abused to gain access. The disclosures prompted criticism from experts and Opposition leaders, but the government denied a “direct breach” of the CoWIN database.(HT_PRINT)

On June 12, reports said sensitive personal information, including identity document numbers such as those of Aadhaar and passports, was freely accessible via a service hosted on the instant messaging application Telegram.

The disclosures prompted criticism from experts and Opposition leaders, but the government denied a “direct breach” of the CoWIN database, which has information of people who received Covid-19 vaccines.

The Union health ministry did not issue a statement or respond to queries regarding the arrests on Thursday. A senior official in the central government, requesting anonymity, however, said that it was an ongoing investigation.

“The Delhi Police are investigating the case; it is too early to comment, or share, the details of investigation. It will be clearer what exactly happened once the investigation is complete.”

According to people aware of the matter, the man arrested on Thursday was allegedly behind the Telegram service, which was an automated chatbot.

While details were not offered by officials, those aware of the matter said the chatbot made use of facilities for healthcare workers to log into CoWIN to help people schedule vaccination or make other updates to their data — an option that possibly allowed access to the sort of data that was leaked to users.

The mother of the minor is a government health worker, officials said, asking not to be named.

Delhi Police did not respond to requests for a comment.

While it is understandable that the investigation is underway and details may yet to be pieced together, the prosecuting agencies and the ministries involved must be transparent and disclose the extent, if at all, of personal information jeopardised -- and what recourse people can take if indeed so.

HT was privy to the discussions at an associated Telegram group where the developer of the bot made certain claims, including indicating that he tailgated an application programming interface (API). HT could not verify this person’s claims but experts said that it seemed to be a plausible explanation for what may have happened.

An API is a gateway for one programme to exchange information with another, and is often deployed for legitimate access for a variety of reasons, including for Asha workers who use apps to register beneficiaries through their mobile phones.

The identity of the developer of the bot is unknown but the person ran a programming hobby group called “hak4learn”. The group’s Instagram and Telegram account have since been taken offline.

The June 12 incident triggered a political firestorm after the leaked data purported to show the Aadhaar card numbers, along with gender, date of birth and vaccination centre of senior politicians such as Rajya Sabha MP and Trinamool Congress leader Derek O’Brien, former Union ministers P Chidambaram and Jairam Ramesh, and Congress leader KC Venugopal.

The Union health ministry has asked the Indian Computer Emergency Response Team (CERT-In) to probe the incident, and the Union health ministry initiated a separate process review.