Even as government denies leak, experts call for stringent rules and compliance
On June 5, Rakesh Krishnan, a senior threat analyst in an IT company, had posted on LinkedIn and Twitter claiming the government’s CoWIN portal had been hacked and the data was out in the public domain. However, the issue grabbed headlines only on June 12, after a Malayalam news portal reported about accessing the data on Telegram; the portal made no mention of the exact source. Later, The News Minute reported that it had accessed, through a Telegram bot, the data of individuals who had registered for Covid-19 vaccinations on CoWIN. The platform was launched in January 2021, and touched over a billion lives in less than 18 months.
Krishnan told Forbes India that the data leak appeared in an Indonesian Telegram leak channel where Indonesia's leaks are regularly publicised for sale. Krishnan spoke to the threat actor (hacker) who had posted CoWIN’s data and learnt that he had this data for the past one year. “The threat actor had even reported it to the government, but no action was taken, and now it is up for sale again. He was selling it to only one person for $400 [Rs 33,000]. I couldn’t afford it, so I didn’t buy it.†The hacker was accepting the payment only via cryptocurrency.
Union Minister of Electronics and Technology Rajeev Chandrasekhar confirmed in a tweet on June 12 that there is no data breach of the CoWIN platform, and said that a Telegram bot was just randomly throwing up data when a phone number was typed in. “The data being accessed by bot from a threat actor database, which seems to have been populated with previously stolen data. It does not appear that the CoWIN app or database has been directly breached,†he tweeted.
Does this mean the data was stolen in the distant past or recently? Nobody has any answers yet.
A lot of similar data is available on the dark web. There are groups on Telegram dumping loads of data from Indian government websites, with hackers even trying to temporarily disable the websites. The possibility of another CoWIN data breach—there were breaches in 2021 and 2022 as well—has, once again, raised concerns about India’s weak cybersecurity systems. In the earlier instances too, the government denied the claims and said its nodal agency, the Indian Computer Emergency Response Team (CERT-In), had initiated inquiries into the matter. However, the issue soon died down and has now resurfaced.