Government refutes CoWin data leak rumours: Here’s clarity on what actually happened | Digit

On Monday, there were some social media posts and news reports about the CoWin data leak and that it was easily accessible via a bot. However, now Minister of Electronics and Information Technology of India, Mr Rajeev Chandrasekhar has denied the allegations. He clarifies what really happened in a Twitter post. 

Govt’s review of the CoWin data leak claims

CERT-In (Computer Emergency Response Team) has inspected the leaked data and upon reviewing the CoWin data available online, govt. realized there is in fact a Telegram bot that was showing CoWin app details when you feed it phone numbers. 

The bot is relying on a leaked database but apparently, the data within it was from a past leak.

Mr Chandrasekhar assures there has not been a direct CoWin breach this time. 

Finally, he announces the National Data Governance policy is ready and should offer a common framework for data storage, access and protection across the board. 

Additionally, the Health Ministry has said that whatever data is out there cannot be accessed without an OTP.

But, there are still some concerns about the whole incident.

What was the CoWin data leak problem?

Yesterday, the news broke out that CoWin data has leaked and the public data in the CoWin database like gender, date of birth, ID card information, phone number, last four digits of Aadhaar, and the name of the centre where the person got vaccinated.

Note, these were the data that you gave the portal at the time of booking Covaxin or Covidhsield vaccination slots. Who knew, the data you shared at times of distress will leak like this? Even if we pay heed to the government’s rebuttal, we are concerned about the data that was supposedly leaked in the past.

This is deemed to be a massive leak. And as some critics are pointing out, the Aadhaar number shouldn’t have been stored anywhere other than the Aadhaar Vault. This is something underlined in the Aadhaar Act. You can read about this on the UIDAI website.  

Journalists including:

1. Rajdeep Sardesai of India Today

2. Barkha Dutt of Mojo Story

3. Dhanya Rajendran of The NewsMinute

4. Rahul Shivshankar of Times Now@sardesairajdeep @BDUTT @dhanyarajendran @RShivshankar

(4/7) pic.twitter.com/zJv094RRiU

— Saket Gokhale (@SaketGokhale) June 12, 2023

CoWin had it mandatory that we enter the Aadhaar number to book vaccines for Covid-19. This and other data don’t seem to have been encrypted. Else, this breach wouldn’t have taken place. 

In the CoWin privacy policy, the platform is said to have “reasonable security measures”. It also puts the onus on the user for their data safety. It says, “You have and so long as You access and/or use the Platform (directly or indirectly) the obligation to ensure that You shall at all times, take adequate physical, managerial, and technical safeguards, at your end, to preserve the integrity and security of your data which shall include and not be limited to your Personal Information.”  

More importantly, now that Covid isn’t as big a threat as it once was, people who have taken the vaccines should be allowed to delete their CoWin account. This isn’t a big ask, one may argue.