Asserting that the CoWIN portal was completely safe with adequate safeguards for data privacy, the government on Monday dismissed as "mischievous" the claims of a data breach on the platform and said the matter has been reviewed by the country's nodal cyber security agency CERT-In.
In a statement, the Union health ministry also said that an internal exercise has been initiated to review the existing security measures.
"With reference to some alleged CoWIN data breaches reported on social media...the Indian Computer Emergency Response Team (CERT-In) immediately responded and it does not appear that the CoWin app or database has been directly breached," said Rajeev Chandrasekhar, the Union minister of state for electronics and information technology.
Meanwhile, opposition parties demanded an inquiry into the data breach claims and asked the government to take deterrent action.
Congress leaders alleged it was a case of "criminal negligence" and asked why the government was sitting on a data protection law.
"In its Digital India frenzy, GoI has woefully ignored citizen privacy. Personal data of every single Indian who got the Covid-19 vaccination is publicly available. Including my own data. Who let this happen? Why is GoI sitting on a data protection law?" Congress MP Karti Chidambaram said.
Refuting the reports, Chandrasekhar said a Telegram bot was throwing up CoWin app details upon the entry of phone numbers.
"The data being accessed by the bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past. It does not appear that the Cowin app or database has been directly breached," the minister said.
In its statement, the health ministry said there was no basis for the reports alleging the breach of data from the CoWIN portal, which is the repository of all data of beneficiaries who have been vaccinated against Covid-19.
"It is clarified that all such reports are without any basis and mischievous. The Co-WIN portal of the health ministry is completely safe with adequate safeguards for data privacy," it said.
Furthermore, security measures are in place on the CoWIN portal with a web application firewall, regular vulnerability assessment, and identity and access management, it said.
"Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal," the ministry said.
"CERT-In in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database," the statement said.
It said certain Twitter users have claimed the personal data of individuals who have been vaccinated is being accessed using a Telegram (online messenger application) bot.
It is reported that bot has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary, the ministry said.
The CoWIN was developed and is owned and managed by the ministry of health and family welfare.
An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of CoWIN and for deciding on policy issues.
The statement said at present individual-level vaccinated beneficiary data access is available at three levels.
The first is the beneficiary dashboard -- the person who has been vaccinated can have access to the Co-WIN data through the use of a registered mobile number with OTP authentication.
The second is the CoWIN authorised user -- the vaccinator with the use of the authentic login credential provided can access the personal level data of vaccinated beneficiaries.
And, then there is API-based access -- the third-party applications who have been provided authorised access to Co-WIN APIs can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.
The CoWIN system tracks and keeps a record of each time an authorised user accesses the COWIN system, the statement said.
"Without OTP, vaccinated beneficiaries' data cannot be shared to any bot," the ministry said.
It further said only the year of birth is captured for adult vaccination but it seems that on media posts it has been claimed that the bot also mentioned the date of birth.
Also, there is no provision to capture the address of a beneficiary, it said.
"The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, some APIs have been shared with third parties such as ICMR for sharing data.
"It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application," it said.
