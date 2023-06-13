On Monday, several Indian media reported that India’s COVID-19 vaccine booking portal, CoWIN, was compromised, and sensitive personal information of thousands of users was leaked on the Telegram social messaging app.

It was claimed that a Telegram bot was revealing sensitive data of the users when inquired about an individual’s phone number. The bot leaked the name, Aadhaar number, PAN number, passport number, date of birth, location, gender, and the institute from where they got vaccinated.

Notably, a user had to save some of these details while registering for the CoWIN app.

Millions of Indian users had signed up on CoWIN portal, launched on January 16, 2021, and have used it to book vaccination slots. The data includes more than 40 million children aged between 12-14 and over 37 million people over the age of 45, a significant part of which could be senior citizens.

Now, it is no longer possible to access this bot. Indian government’s response There were two, slightly different, reactions from the government.

The first one was issued by the Indian health ministry which outrightly rejected claims of data leak saying that "all such reports are without any basis and mischievous in nature".

In a press release, the health ministry said that there are three ways in which data on CoWIN can be accessed.

First, a user can access their data on the portal through a one-time password (OTP) sent to their mobile number.

Two, a vaccinator can access the data of a person, and the CoWIN system tracks and records each time an “authorised” user accesses the system.

And lastly, third-party applications that have been provided authorised access of CoWIN APIs can access personal level data of vaccinated people after OTP authentication.

The government claimed that without an OTP, data cannot be shared with the Telegram bot.

The ministry further pointed out that CoWIN only collects their year of birth while there is no provision to save a person’s address on the platform.

“Security Measures are in place on the Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management, etc,” it said in a statement.

The health ministry further said that it has roped in the Indian Computer Emergency Response Team (CERT-In)—the Indian nodal government agency that looks after cyber security—to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN.

However, minutes later the Minister of Electronics and Technology, Rajeev Chandrasekhar, released a statement via Twitter that an initial investigation had already indicated that there had been a previous instance of CoWin data leak.

"A Telegram Bot was throwing up Cowin app details upon entry of phone numbers. The data was being accessed by bot from a threat actor database, which seems to have been populated with previously stolen data," he said.

Experts have noted that the CoWIN breach controversy warrants an urgent need for a data protection bill that will protect citizens from such exposure and ensure the accountability of institutions. What is a bot? A bot, short for robot, is a software application programmed to perform tasks through Robotic Process Automation, or RPA. Bots work by automatically going through a set of instructions, and they carry out tasks and processes much faster, more accurately, and at a higher volume than it would otherwise take humans.

On Telegram, every bot has a unique handle. To add a bot, one has to simply search for it, click on the bot handle and they will be able to interact with it in the chat window.

These bots can support "any kind of task or service," with some popular functions including delivering answers to users' FAQs, converting certain file types into others, or setting reminders for users.

However, of late, there has been sharp in increase of mishandling bots and primarily used to run scams, or exfiltrate personal data. Can a bot threaten privacy of users? Apparently yes, One of the main concerns raised about chatbots is the collection of personal information. Many chatbots collect user data, including their conversations, personal preferences, and location. Though this data is used used to personalise the chatbot responses and improve the user experience, there have been many instances where it is used for scams and identity thefts, spread malware and launch cyberattacks. Has this happened before? Twice there have been claims of CoWIN breach. The first instance was in June 2021, where a few had claimed the portal had been hacked resulting in the sale of data relating to 150 million Indians. The Indian government denied that this had happened.

Then in January last year, when similar reports of a data breach emerged, the chief of the National Health Authority, Ram Sewak Sharma, responded saying the database was "safe and secure". What is CoWIN and how does it work? CoWIN, which stands for COVID-19 Vaccine Intelligence Network, is an app introduced and made under the aegis of the central government for the vaccination process.

It serves various services like registration, beneficiary tracking, appointment scheduling, vaccine stock management, real-time data monitoring, identity verification, vaccination, and issuing an instant digital certificate to each vaccinated individual.

CoWIN has so far recorded more than 2.2 billion administered vaccine doses through 5,773 vaccination sites.

(With inputs from agencies)