Unauthorised disclosure of CoWin data reported on a Telegram group

A significant data breach has occurred, leaking the personal information of hundreds of thousands of Indians who received the Covid-19 vaccination. The exact number of people affected by the privacy breach on CoWin could not be confirmed, but it is estimated that over 95% of adult Indians have received their vaccines, according to the latest data, with a total of around 2.2 billion doses administered at the time of going to press.

The incident has raised concerns among security experts, who warn about potential Identity Of Resource (IDOR) vulnerabilities and unsecured databases on the CoWIN platform. The leaked information includes phone numbers, gender, ID card information, and dates of birth.

According to CloudSEK analysis, the threat actor does not have access to the entire CoWin portal or the back-end database, but there was a past data breach. Several independent cybersecurity experts have confirmed the possibility of a partial database breach from the CoWIN platform. Minister of State for Information Technology Rajeev Chandrasekhar tweeted that it did not appear that the CoWin application or database had been directly breached, and the data being shared seemed to be from an earlier breach.

The bot, which was allegedly responsible for the leak, was disabled after media reports. However, experts have expressed concerns about the potential use of the data for identity theft, phishing emails, scams, and extortion calls. The bot gave out details of six people vaccinated against a single query, and although it has been cut off, the data remains out there.

The leaked information could be retrieved from a Telegram bot by entering a person's name. The name of the Telegram channel where the data of over a hundred thousand Indians was presumably leaked is not explicitly mentioned in the provided search results.

On March 13, 2022, a threat actor on a Russian cybercrime forum advertised compromised access on the CoWIN portal, sharing a screenshot of the CoWIN database portal affecting the Tamil Nadu region. The central government has denied the breach, stating that the 'bot' did not access the CoWIN database directly and may have been showing information from previously stolen data.

Despite the concerns, the health ministry claims that the CoWIN portal is completely safe with adequate safeguards for data privacy. The portal has security measures such as a web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessment, identity and access management, etc. However, Himanshu Pathak, managing director of CyberX9, noted that both CoWIN and Aadhaar data of India are extremely sensitive and at risk of cyberattacks.

Kamesh Shekar, program manager at The Dialogue, stated that a breach of this scale could have economic and privacy implications for individuals. Anivar Aravind, executive director of the Indic Project, stated that the bot was a search facility on a database and multiple records were fetched against one search query.

In 2021, cyber intelligence firm Cyfirma warned about potential attacks on CoWin servers by hackers from China and North Korea. The incident has made security experts take notice and warn about potential IDOR vulnerabilities and unsecured databases on the CoWIN platform. The Indian Computer Emergency Response Team (CERT-In) has initiated an inquiry into the matter.