The Narendra Modi government on Monday ran into allegations that it had either remained oblivious to or not publicly disclosed a security breach of its Covid-19 vaccination database through which information on vaccine recipients was stolen in the past and made available on a public messaging platform.
The alleged security breach involving data that an official had once described as “absolutely safe and secure” has rekindled concerns about digital vulnerability at a time the government is urging citizens and healthcare institutions to digitise medical records, security experts said.
The Fourth, a Malayalam news website, reported on Sunday that the names, mobile telephone numbers and years of birth, among other details, of Covid-19 vaccine recipients uploaded on the government’s CoWin database were also available through a bot — a software programme — on Telegram, a public messaging platform.
It is not clear who designed the bot, when and for what purpose.
On Monday, the Union health ministry, which owns and manages CoWin, said through a media release at 4.30pm that it had requested the Indian Computer Emergency Response Team (CERT-In), an arm of the information technology ministry, to “look into this issue and submit a report”.
The CERT-In probe found that a Telegram bot “was throwing up CoWin app details upon entry of phone numbers”, Rajeev Chandrasekhar, the Union minister of state for electronics and technology, entrepreneurship and skill development, tweeted on Monday afternoon at 5.08pm.
“The data being accessed by bot from a threat actor database, which seems to (have) been populated (with) previously stolen data stolen in the past,” Chandrasekhar wrote. “It does not appear that CoWin app or database has been directly breached.”
In a fresh tweet at 5.50pm, Chandrasekhar clarified that his earlier tweet had referred to “previously breached or stolen data from databases other than CoWin”.
Digital security experts and others have interpreted the explanation as tantamount to admitting that data with the government had been “stolen” in the past. With the government remaining silent on the source of the “previously breached” data, the experts wondered from where else the data could have been “stolen” as CoWin app details of vaccine recipients would be available in the CoWin database.
“This is a very serious episode that raises the question: how secure is our digital infrastructure?” said Pavan Duggal, a Supreme Court advocate and an authority on cybersecurity law. “If data was stolen, we should have had a criminal investigation.”
The health ministry’s media release on Monday did not refer to the previously stolen data cited by Chandrasekhar but said Cowin was “completely safe with adequate safeguards for data privacy”. The ministry also said it had initiated an internal exercise to review the existing security measures around CoWin.
The ministry added that CERT-In’s initial report had said “the backend database for the Telegram bot was not directly accessing” the CoWin database and that without an OTP (one-time password), vaccine beneficiaries’ data could not be shared with any bot.
Neither the health ministry nor the information technology ministry has said what the other databases might be from where CoWin details had been stolen earlier.
The health ministry had on January 21, 2022, denied social media reports that had claimed that data stored in CoWin had been leaked online.
The ministry had, in a media release titled “Myths vs Facts”, said the data was safe and secure on the digital platform.
R.S. Sharma, a government official who is the chief executive officer of the National Health Authority, had also tweeted on January 21, 2022: “Data of our citizens on CoWin is absolutely safe and secure.”
Members of the public have now raised questions about the stolen data, some asking when and how it was stolen and whether the government had disclosed it. “Is there any FIR (first information report) or public disclosure for this previously stolen data?” a Twitter user posted.
Another Twitter user asked how any database “other than CoWin” can have this information. Other than the Aadhaar or passport information, the bot also showed where the vaccination was taken. “What other database has it and why?” the user asked.
Some Twitter users reported on Monday that the bot had been disabled.
Duggal and other digital security experts have cautioned that digital platforms with public interfaces cannot be considered 100 per cent secure. “If data was stolen, we need a clear investigation to determine when and how it was done,” Duggal said. “We need to take cybersecurity more seriously than we are doing now.”
Last year, hackers had broken and disabled computers at the All India Institute of Medical Sciences, New Delhi, potentially compromising sensitive data on patients and crippling online services accessible to patients.
The security breaches come amid a government campaign called the National Digital Health Mission, which is encouraging patients, hospitals and pathology labs to upload medical records onto digital platforms so that the records can be accessed with consent from patients anywhere in the country.