Cyber Crime Cell Investigates CoWIN Data Breach: Health Ministry 2023
The Hindu Business Line reported that the Union health ministry, despite asserting that CoWIN data has not been compromised, plans to file an FIR against the intrusion that may have originated from another database.
“We will submit a case with the Cyber Crime unit today or within the next two days. However, CoWIN data has not been compromised. However, an endeavor could have been made elsewhere. Cybercrime will investigate it. CERT-in is also conducting investigations, officials familiar with the matter told the newspaper.
Earlier this month, vaccination recipient data, including dates of birth and addresses, were disclosed via a malware on an instant messaging application, prompting rumors of a CoWIN data breach. The Ministry of Health and the Ministry of Electronics and Information Technology (MeitY) denied these reports.
CoWIN is not responsible for the breach.
The initial investigation by MeitY’s Computer Emergency Response Team (CERT) indicates that the breach did not originate from CoWIN but rather from another source that did not adequately secure the data, the source said, adding that the disclosed data was “more detailed than what CoWIN possesses.”
The official from the health ministry stated that CoWIN does not record precise birth dates for vaccine recipients, and that the CoWIN portal only collected the birth year. It also does not collect addresses, according to The Hindu Business Line.
CoWIN’s current security measures are being evaluated by an internal exercise. The official from the health ministry stated that “only OTP authentication-based access to data is provided,” meaning that data cannot be shared with any program that lacks an OTP.
The development team of COWIN has affirmed that there are no public APIs from which data can be extracted without an OTP, the health ministry said in a previous statement.