Claims of data breach mischievous, CoWIN portal completely safe: Health Ministry

New Delhi, June 12 The Union Ministry of Health and Family Welfare (MoHFW) on Monday dubbed the alleged data breach of Covid-19 vaccine beneficiaries as "mischievous in nature", saying that the CoWIN portal is completely safe with adequate safeguards for data privacy.

The Health Ministry also said that it has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report, besides initiating an internal exercise to review the existing security measures of CoWIN.

The Health Ministry's remarks came after some media reports and social media posts claimed breach of data of vaccine beneficiaries.

These reports also alleged breach of data from the CoWIN portal of the Health Ministry, which is the repository of all the data of beneficiaries who have been vaccinated against Covid-19.

The Health Ministry said in a statement, "Certain posts on the social media platform Twitter have claimed using a 'Telegram (online messenger application) BOT', the personal data of individuals who have been vaccinated is being accessed.

"It is reported that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.

"It is clarified that all such reports are without any basis and mischievous in nature. CoWIN portal of Health Ministry is completely safe with adequate safeguards for data privacy."

It also said that security measures are in place on the CoWIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity and Access Management etc.

"Only OTP authentication-based access of data is provided. All steps have been taken and are being taken to ensure security of the data in the CoWIN portal," the Health Ministry said.

It also said that CoWIN was developed and owned and managed by the MoHFW.

The Health Ministry said that it has requested CERT-In to look into this issue and submit a report and also initiated an internal exercise to review the existing security measures of CoWIN.

"CERT-In in its initial report has pointed out that backend database for Telegram Bot was not directly accessing the APIs of CoWIN database," it added.

"An Empowered Group on Vaccine Administration (EGVAC) was formed for steering the development of CoWIN and for deciding on policy issues. Former CEO of National Health Authority (NHA) chaired the EGVAC which also included members from MoHFW and MeitY," it said.

The Health Ministry also clarified that CoWIN data access - at present individual level vaccinated beneficiary data access is available at three levels - through beneficiary dashboard, in which the person who has been vaccinated can have an access to CoWIN data through use of registered mobile number with OTP authentication or CoWIN authorised user, where the vaccinator with use of authentic login credential provided can access personal level data of vaccinated beneficiaries.

"But the CoWIN system tracks and keeps record of each time an authorised user accesses the CoWIN system," the Health Ministry said.

It also said that one can also access data through API based access in which the third-party applications, who have been provided authorised access of CoWIN APIs, can access personal level data of vaccinated beneficiaries only through beneficiary OTP authentication.

Commenting on the Telegram BOT, the ministry said, "Without OTP, vaccinated beneficiaries' data cannot be shared to any BOT. Only Year of Birth is captured for adult vaccination but it seems that on media posts it has been claimed that BOT also mentioned date of birth (DOB). There is no provision to capture address of beneficiary."

It added: "The development team of CoWIN has confirmed that there are no public APIs where data can be pulled without an OTP."

The ministry said that there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar.

However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application.

Disclaimer: This post has been auto-published from an agency feed without any modifications to the text and has not been reviewed by an editor