CoWIN Data Leak: Aadhaar, PAN Card Info Of Indians Made Public By Telegram Bot, Says Reports

New Delhi: Personal information – Aadhaar card, and PAN card details – of Indian citizens, including high-profile political leaders, were reportedly made available on messaging platform Telegram.

According to reports, a Telegram bot was giving away the details of individuals, who registered on the CoWIN app to get their COVID-19 vaccination, including their names, date of birth, phone number and other details provided at the time of registration, such as passport or Aadhaar numbers among others.

TMC national spokesperson Saket Gokhale shared the screenshots of the breach on his official Twitter account. “There has been a MAJOR data breach of Modi Govt where personal details of ALL vaccinated Indians including their mobile nos., Aadhaar numbers, Passport numbers, Voter ID, Details of family members etc. have been leaked & are freely available,” he wrote.

“This is a matter of national concern,” he added.

The developers of the Telegram bot disabled it after Manorama broke the story, The Mint reported. According to the Malayalam daily, the secretary of the Union Health Ministry Rajesh Bhushan was among the victims of the data leak. Details of  Ram Sewak Sharma, chairman of CoWin high power panel, Kerala Health Minister Veena George, Congress General Secretary KC Venugopal and Union Minister of State Meenakhi Lekhi were leaked and so also of some other leaders.

Data-driven news portal South Asia Index also put up a series of tweets, stating that details of family members of all COVID-vaccinated Indians had been leaked.

Odisha Bytes could not independently verify the details of the alleged data leak.

Responding to the news report, government officials dismissed hacking of the CoWIN app. They told CNBC TV-18 that there “discrepancies in data leak of the screenshots of the CoWIN app” but added that probe is on to ascertain any unauthorised access to the CoWIN app.

“Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal,” an PIB release later said.

It further said that the development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. “Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN. CERT-In in its initial report has pointed out that backend database for Telegram bot was not directly accessing the APIs of CoWIN database,” it added.