Breach of COVID vaccination data of beneficiaries has been alleged on social media platforms, claiming that the Co-WIN portal of the Union Health Ministry has been compromised.
Reports suggest that the personal data of vaccinated individuals can be accessed using a Telegram BOT by entering the mobile number or Aadhaar number of the beneficiary.
The Press Infomation Bureau has issued a statement regarding this new development. Read on to find out what it says!
Breach of Data Through Co-WIN Did Not Happen?
The Union Health Ministry has clarified that these reports are baseless and misleading. The Co-WIN portal is secure, with measures in place to ensure data privacy. Security features such as a Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, and Identity & Access Management are implemented on the portal.
Access to data is OTP authentication-based, providing an additional layer of security. The Ministry assures that all necessary steps have been taken and are being taken to protect the data in the Co-WIN portal.
The Co-WIN portal was developed and is owned and managed by the Ministry of Health and Family Welfare (MoHFW). An Empowered Group on Vaccine Administration (EGVAC), chaired by the former CEO of the National Health Authority (NHA) and consisting of members from MoHFW and MeitY, was responsible for overseeing the development of Co-WIN and making policy decisions.
The Co-WIN data can be accessed at three levels: through the beneficiary dashboard using registered mobile numbers with OTP authentication, by authorized users (vaccinators) with proper login credentials, and by third-party applications authorized to access Co-WIN APIs with beneficiary OTP authentication.
Vaccinated Beneficiaries’ Data Cannot Be Shared Without OTP Authentication
Regarding the Telegram BOT, it is clarified that vaccinated beneficiaries’ data cannot be shared without OTP authentication. Only the year of birth (YOB) is captured for adult vaccination, and there is no provision to capture the address of the beneficiary.
The Co-WIN development team has confirmed that there are no public APIs that allow data retrieval without OTP. While certain APIs have been shared with trusted third parties, such as the Indian Council of Medical Research (ICMR), for data sharing, these APIs are specific and require authentication. The Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to investigate the issue and provide a report. Additionally, an internal review of Co-WIN’s security measures has been initiated.
According to the initial report from CERT-In, the backend database for the Telegram BOT did not directly access the Co-WIN database APIs, further indicating the baseless nature of the alleged data breach.