A Telegram bot has been found allegedly leaking details of all COVID-vaccinated Indians registered on the CoWIN platform by simply entering the mobile or Aadhaar number of a registered user. The leaked information also includes the full name, date of birth, PAN card details, passport numbers and even the location of the first vaccination.
Addressing the concerns, the health ministry has published a statement reassuring that the CoWIN platform is “completely safe with adequate safeguards for data privacy” and that any claims of a data breach are “without any basis and mischievous in nature”.
Additionally, Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, has also tweeted that the Indian CERT has responded to the matter and in their review, it “does not appear that the CoWIN app or database has been directly breached”.
The data is apparently being accessed from a threat actor database that seems to have been populated with previously stolen data and has nothing to do with the breached CoWIN app. Additionally, CERT’s initial report suggests that the bot wasn’t accessing the CoWIN database’s APIs.
The News Minute also verified the bot’s existence and accessed the data of several politicians. Several people online claim to have accessed the Telegram bot, which has been taken down at the time of writing.
TMC spokesperson Saket Gokhale has questioned the government’s data security practices as several prominent political figures, including opposition leaders’ data, have also reportedly been exposed.
These include Rajya Sabha MP & TMC Leader Derek O’Brien, former Union Minister P. Chidambaram and Congress leaders Jairam Ramesh and K.C. Venugopal. The leaks have also allegedly affected several journalists, including Rajdeep Sardesai, Barkha Dutt and Rahul Shivshankar.