The Centre has taken note of an automated account on the messaging app Telegram that was reportedly passing sensitive personal data of Indian individuals, including their Aadhaar and passport numbers, who registered for the CoWIN portal for their Covid-19 vaccine.
The administration said on Monday that all such reports are without any basis and mischievous in nature, hours after rumors surfaced that CoWIN data had been accessed by a Telegram bot.
The Indian Computer Emergency Response Team (CERT-In), the main cyber security organization, assessed the purported breach, according to Minister of State for Electronics and IT Rajeev Chandrasekhar. He said, “It does not appear that the CoWIN app or database has been directly breached.” According to him, the information the Telegram bot was accessing came from a database of “threat actors” that “seem to have been populated with previously stolen data.”
The explanation from the health ministry did not, however, clarify how the Telegram bot was able to provide user information associated with a phone number. Since the government has never officially recognised that Aadhaar data has been compromised, there are no specifics on previous data breaches that have been brought up by the government.
When the phone number that was used to register for the CoWIN site was messaged to the bot, the Telegram account, which has not been inactive since Monday morning, displayed personal information about a person. The Telegram bot displayed the person’s name, the government identification they used to receive their vaccination, and the location where they got it, all while claiming to get their information through the CoWIN portal.
The health ministry stated in its statement that “CERT-In, in its initial report, pointed out that the backend database for Telegram bot was not directly accessing the APIs of the CoWIN database.” According to sources, the APIs are being used to access CoWIN data by over 110 institutions, including 78 government entities.
The ministry claimed that the platform’s development team had confirmed that no public APIs could access data without an OTP, but one API did allow users to share data with external organizations like the Indian Council of Medical Research (ICMR) by calling the phone number linked with their Aadhaar number. This API, they clarified, only allows queries from trusted APIs that CoWIN has whitelisted, according to the statement.