Forbes India 15th Anniversary Special

How safe is your personal data? Possible data breach of CoWIN portal raises questions

Even as government denies leak, experts call for stringent rules and compliance

Naandika Tripathi
Published: Jun 13, 2023 02:36:09 PM IST
Updated: Jun 13, 2023 08:33:02 PM IST

How safe is your personal data? Possible data breach of CoWIN portal raises questionsAccording to a study, India was attacked 1,866 times per week on average in 2022, with the health care sector facing the maximum number of attacks

On June 5, Rakesh Krishnan, a senior threat analyst in an IT company, had posted on LinkedIn and Twitter claiming the government’s CoWIN portal had been hacked and the data was out in the public domain. However, the issue grabbed headlines only on June 12, after a Malayalam news portal reported about accessing the data on Telegram; the portal made no mention of the exact source. Later, The News Minute reported that it had accessed, through a Telegram bot, the data of individuals who had registered for Covid-19 vaccinations on CoWIN. The platform was launched in January 2021, and touched over a billion lives in less than 18 months.

Krishnan told
Forbes India that the data leak appeared in an Indonesian Telegram leak channel where Indonesia's leaks are regularly publicised for sale. Krishnan spoke to the threat actor (hacker) who had posted CoWIN’s data and learnt that he had this data for the past one year. “The threat actor had even reported it to the government, but no action was taken, and now it is up for sale again. He was selling it to only one person for $400 [Rs 33,000]. I couldn’t afford it, so I didn’t buy it.” The hacker was accepting the payment only via cryptocurrency.

Union Minister of Electronics and Technology Rajeev Chandrasekhar confirmed in a tweet on June 12 that there is no data breach of the CoWIN platform, and said that a Telegram bot was just randomly throwing up data when a phone number was typed in. “The data being accessed by bot from a threat actor database, which seems to have been populated with previously stolen data. It does not appear that the CoWIN app or database has been directly breached,” he tweeted.

Does this mean the data was stolen in the distant past or recently? Nobody has any answers yet.

A lot of similar data is available on the dark web. There are groups on Telegram dumping loads of data from Indian government websites, with hackers even trying to temporarily disable the websites. The possibility of another CoWIN data breach—there were breaches in 2021 and 2022 as well—has, once again, raised concerns about India’s weak cybersecurity systems. In the earlier instances too, the government denied the claims and said its nodal agency, the Indian Computer Emergency Response Team (CERT-In), had initiated inquiries into the matter. However, the issue soon died down and has now resurfaced.

In June 2021, a hacker group named Dark Leak Market had claimed that it had a database of about 15 crore Indians who were registered on CoWIN. After purchasing the data once, it can be resold multiple times. It is also worth noting that the CoWIN portal has been integrated into the Aarogya Setu and Umang apps.

CloudSEK, a contextual artificial intelligence (AI) company that predicts cyber threats, came out with an analysis on June 12, following the news of the CoWIN data breach. It discovered a threat actor advertising a Telegram bot, offering personally identifiable information (PII) data on Indian citizens registered on Cowin. However, CloudSEK’s analysis concluded that hackers do not have access to the entire CoWIN portal or the backend database: “Based on matching fields from Telegram data and previously reported incidents affecting health workers in a region, we assume the information was scraped through these compromised credentials. The claims need to be verified individually.”

Rahul Sasi, chief executive of CloudSEK, says, “What CloudSEK knows with high confidence is that threat actors have access to multiple credentials that belong to health workers that could be used to access the CoWIN portal for those individual health workers and the data they have access to. What we also speculate is some sort of unauthenticated API that would have allowed attackers to query specific user details. But there is no proof at this point in time.”

Also Read: Data Security—Is There An App For That?

According to a study by Check Point Research, an American-Israeli cyber threat intelligence analyst, an organisation in India was attacked 1,866 times per week on average in 2022, with the health care sector facing the maximum number of attacks.

Such leaks of PII have been consistent for some time. “We need to look at these leaks objectively in terms of the damage they can cause instead of the leak per se,” says Harshil Doshi, director of sales (India and SAARC), Securonix, a Texas-based organisation that uses machine learning and AI to detect advanced threats.

Critical and sensitive services like banking and social media typically employ multi-factor authentication methods to provide access, and cannot be accessed with the publicly available parts of PII data leaks, explains Doshi. “For example, no rogue or an adversary nation can gain access to banking accounts or social media accounts using someone's date of birth or Aadhaar information. This data is anyways more or less public through some source or the other. These leaks have more or less become a mode to sensationalise the event for political reasons rather than have a more objective discussion on a nationwide policy on data security and sovereignty.”

These recurrent breaches underscore the urgent need for a data privacy law. Recently, Meta was fined a record 1.2 billion euros ($1.3 billion) by the Irish Data Protection Commission for breaching the EU's tough rules on data privacy, known as the General Data Protection Regulation (GDPR). This was for mishandling people's data while transferring it between Europe and the United States.

India, however, lacks the regulatory framework and due compliance with the Data Privacy Law. The importance of handling, securing, protecting, and preserving a user’s data must be the top priority of any data fiduciary and data processor, explains Advocate Liza Vanjani, who practises at the Gujarat High Court and works as a legal freelancer at Forensic Cybertech, a consulting firm.

“The data breach has not been confirmed yet. However, it raises questions about the work of data protection officers [DPOs]. The sensitive personal data of citizens must be protected at all costs. The screenshots have been circulated by the Telegram bot, conveying the details of name, mobile number, gender, passport, date of birth, and address. This raises questions about the handling of the data by the government and the lack of security measures undertaken to protect the data. The users must be informed about the data breach, if any," says Vanjani.

The government's ‘Digital First’ initiatives, aimed at driving technological advancements and enhancing public services, may face significant setbacks in light of this data breach. Citizens may question the overall efficacy and security of digital platforms when such breaches occur, hindering efforts to foster a digital ecosystem and citizen trust, explains Abhishek Malhotra, managing partner of TMT Law Practice. “In the wake of this breach, one crucial aspect that demands attention is determining who will take responsibility for this security lapse. Clear accountability measures need to be established to address the breach, mitigate its impact, and ensure that such incidents are prevented in the future. This incident underscores the urgency for robust data protection laws and stringent security measures to safeguard citizens' sensitive information.”

Citizens must be allowed to claim the ‘Right to be Forgotten’ and delete their personal data from the government's database. The ‘Right to be Forgotten’ can be exercised by the Data Principle through a court of law where an intermediary collects information from the user for registration on computer resources; it shall retain the person’s information for 180 days after any cancellation or withdrawal of his registration. The concept of “deemed consent” is introduced under the Digital Personal Data Protection Bill, 2022, concludes Vanjani.