Centre says CoWin portal completely safe, dubs reports of leak ‘mischievous’
Media reports had surfaced claiming that the data of all vaccinated Indians had been ‘leaked online’.
The Centre on Monday said the CoWin portal of health ministry is completely safe with safeguards for data privacy, rejecting media reports that the data of all vaccinated Indians had been ‘leaked online’.
Referring to media reports which claimed that the data of beneficiaries who received Covid-19 vaccination in the country, the government said they were without any basis and mischievous in nature.
The government said certain posts on Twitter had claimed that using a Telegram bot, the personal data of individuals who were vaccinated is being accessed. It is reported that the Bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.
ALSO READ: TMC’s Saket Gokhale alleges data breach of senior politicians, others on CoWin
Reiterating that the portal is safe, the government said more security measures are in place on it with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc.
“Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal”, the government added.
The CoWin portal was developed and is owned and managed by the health ministry. An empowered group on vaccine administration (EGVAC) was formed for steering the development of the portal and for taking decisions on policy issues. Former CEO National Health Authority (NHA), chaired EGVAC which also included members from MoHFW and MeitY.
The government said that the CoWin data access is available at three levels, i.e beneficiary dashboard, authorised user and API based access. The government made it cleared that without an OTP, the vaccinated beneficiaries' data cannot be shared to any Bot.
“ Only Year of Birth (YOB) is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also BOT mentioned date of Birth (DOB). There is no provision to capture address of beneficiary”, the government statement added.
The Centre also clarified that there are no application programming interface (API) where data can be pulled without an OTP.
“There are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application”, the government added.
The health ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.
CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database.
