The Union Health Ministry is planning to file an FIR (first incident report) into the alleged CoWIN data breach. Senior officials of the Ministry told businessline that CoWIN data was not breached, but the leak could have happened from other databases “beyond the portal”, which is now being probed.
“We will file a case with the Cyber Crime cell either today or in a day or two. However, there has been no breach in CoWIN data. But there could have been some attempt elsewhere. Cyber crime will look into it. Investigations by CERT-in are on, too,” said the official aware of the matter.
Earlier this month, reports surfaced of a CoWIN data breach, leading to private details of people being leaked out through a bot on an instant messaging application. But these reports were denied by the Health Ministry and MeitY.
“CERT report also tells us that there is no breach in CoWIN,” said the official. Initial probe findings, the Ministry official said, also show that data appears to be not from CoWIN directly; but from “some other source” that had inadequately protected vaccination beneficiary data on it.
A private cyber-security firm reportedly has a similar finding.
“But this breach is not from CoWIN portal,” the health ministry official said adding that, the data that popped up was “more detailed that what CoWIN possess”.
For instance, CoWIN does not store, precise dates of birth for vaccine beneficiaries, even though the CoWIN portal only collected the year of birth. Similarly, CoWIN does not collect addresses or some other details.
Safeguards in place
In addition, an internal exercise is also on to review the existing security measures of CoWIN. Without an OTP, the vaccinated beneficiaries’ data cannot be shared to any bot.
Only Year of Birth (YOB) is captured for adult vaccination, the official said adding that there is no provision to capture address of beneficiary.
“Only OTP authentication-based access of data is provided,” he reiterated.
“The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP,” a previous statement by the Health Ministry had said. The Application Program Interface, or API, is a software with a specific function.
In addition to the above, there are some APIs which have been shared with third parties (such as ICMR); but such API is “very specific” and the requests are only accepted from a trusted source, which included those that are white-listed by the Co-WIN application, the Health Ministry had clarified earlier.