Research & Opinion
Indian Health Ministry Shuts Down Data Breach Claims, Ensures Co-WIN Portal’s Fortified Security
NEW DELHI: In response to alleged data breaches related to India’s Cowin app, Rajeev Chandrasekhar, the Minister of State for Electronics and Information Technology (MEITY), has assured the public that the app and its database have not been directly breached. The breaches were reported on social media platforms, raising concerns about the security of personal information.
ALSO READ: Step By Step Guide: How To File Cybercrime Complaint Online In India
Investigations conducted by the Indian Computer Emergency Response Team (CERT-In) revealed that a Telegram Bot was responsible for displaying Cowin app details when phone numbers were entered. However, the data accessed by the bot seems to have originated from a threat actor database. This database appears to have been populated with previously breached or stolen data from the past.
To address such security concerns, the Indian government has finalized the National Data Governance policy. This policy aims to establish a common framework for data storage, access, and security standards across all government entities. With this policy in place, the government aims to enhance the protection of sensitive information and prevent future data breaches.
Recent media reports alleging a breach of data from the Co-WIN portal of India’s Union Health Ministry have been dismissed as baseless and mischievous by the ministry. These reports suggested that personal data of individuals who have been vaccinated against COVID-19 could be accessed through a Telegram Bot. However, the ministry has clarified that the Co-WIN portal is completely safe, with robust safeguards in place to protect data privacy.
ALSO READ: Search All India Police Station Phone Numbers & Mail ID Through This Search Engine
The Co-WIN portal, developed and managed by the Ministry of Health and Family Welfare (MoHFW), incorporates various security measures such as a Web Application Firewall, Anti-DDoS protection, SSL/TLS encryption, regular vulnerability assessments, and Identity & Access Management protocols. Access to data on the portal is strictly based on One-Time Password (OTP) authentication, ensuring the confidentiality and security of individuals’ information.
The Co-WIN data access is structured at three levels. Firstly, vaccinated individuals can access their own data through the beneficiary dashboard by using their registered mobile number and undergoing OTP authentication. Secondly, authorized vaccinators can access personal-level data of vaccinated beneficiaries through authenticated login credentials. It’s important to note that every access to the Co-WIN system is recorded for accountability.
Thirdly, third-party applications with authorized access to Co-WIN APIs can only access personal-level data of vaccinated beneficiaries through beneficiary OTP authentication. The Co-WIN system does not allow sharing of vaccinated beneficiaries’ data with any Telegram Bot without OTP authentication. Additionally, the system only captures the Year of Birth (YOB) for adult vaccination, contrary to claims on social media suggesting that the BOT has access to Date of Birth (DOB) and address information, which is not captured.
The development team of Co-WIN has confirmed that there are no public APIs where data can be accessed without OTP authentication. While some APIs have been shared with trusted third parties like the Indian Council of Medical Research (ICMR) for data sharing, these APIs have specific features and can only be accessed by trusted white-listed applications.
ALSO READ: Victim Of A Cyber Attack? Now Dial 1930 & 155260 To Register Complaint And Get Your Money Back
In response to the allegations, the Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to investigate the matter thoroughly and provide a detailed report. An internal review of the existing security measures of Co-WIN has also been initiated to ensure the continued protection of data.
In its initial report, CERT-In has highlighted that the backend database of the Telegram Bot did not directly access the Co-WIN database APIs, further affirming the security measures in place.
KEY HIGHLIGHTS
- Rajeev Chandrasekhar, India’s Minister of State for Electronics and Information Technology, assures the public that the Cowin app and its database have not been directly breached.
- The Indian government has finalized the National Data Governance policy to establish a common framework for data storage, access, and security standards across all government entities.
- The Co-WIN portal of the Ministry of Health incorporates multiple security measures, including a Web Application Firewall, Anti-DDoS protection, SSL/TLS encryption, regular vulnerability assessments, and Identity & Access Management protocols.
- Only OTP authentication-based access is provided on the Co-WIN portal to ensure data privacy and security.
- The Ministry of Health has requested CERT-In to investigate the alleged data breaches and submit a detailed report.
Follow The420.in on
Telegram | Facebook | Twitter | LinkedIn | Instagram | YouTube