Covid database: India’s health ministry denies major breach

Woman gets a booster shot in Hyderabad, IndiaGetty Images

The Indian health ministry has denied reports of a major leak of personal data from its Covid vaccination database.

In a statement it said “all such reports are without any basis and mischievous in nature”, but it has ordered an official investigation into the matter.

The health ministry’s CoWin database contains the personal details of millions of people.

This Twitter post cannot be displayed in your browser. Please enable Javascript or try a different browser.View original content on Twitter

The BBC is not responsible for the content of external sites.

Skip twitter post by Ministry of Health

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter’s cookie policy and privacy policy before accepting. To view this content choose ‘accept and continue’.

The BBC is not responsible for the content of external sites.

There does, however, appear to be some disagreement within the Indian government over the alleged data breach.

The Minister of Electronics and Technology, Rajeev Chandrasekhar, released a statement via Twitter saying an initial investigation had already indicated that there had been a leak of CoWin data.

He said that a bot, accessible via the Telegram messaging service was “throwing up CoWin app details upon entry of phone numbers”.

This Twitter post cannot be displayed in your browser. Please enable Javascript or try a different browser.View original content on Twitter

The BBC is not responsible for the content of external sites.

Skip twitter post 2 by Rajeev Chandrasekhar 🇮🇳

Allow Twitter content?

This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter’s cookie policy and privacy policy before accepting. To view this content choose ‘accept and continue’.

The BBC is not responsible for the content of external sites.

Mr Chandrasekhar said initial investigations by the Indian Computer Emergency Response Team (IndianCert) had found that the data of millions of Indians that had been “previously breached or stolen” from the Covid vaccine database, had been accessible.

Has there been a leak?

A local Indian media outlet first reported on the alleged leak in a YouTube video showing how a Telegram bot was revealing up information on well-known politicians in the southern state of Kerala.

The Malayalam media outlet called ‘The Fourth’ showed how it was possible to obtain personal data such as a date of birth, the identity document used for registering a Covid vaccination, the location of where the first dose was received, the gender and the phone number of an individual.

Other news outlets subsequently checked the bot and verified that the personal details of prominent individuals they obtained were indeed accurate.

It is no longer possible to access this bot, but the circumstances under which it has been removed are unclear.

The BBC has asked Telegram whether the account that had made the bot available had been actively removed or taken down voluntarily but has not yet received a response.

Srikanth Lakshman, a digital identity expert who accessed the bot before it became inactive, said that information relating to both and adults had been available.

“Only the CoWin database is supposed to have this kind of detail” he told the BBC.

Several cyber security experts have express concerns after the incident was reported and pointed out that no security alert was issued by India’s Computer Emergency Response Team.

Has this happened before?

In June 2021, there were claims that the CoWin portal had been hacked resulting in the sale of data relating to 150 million Indians. The Indian government denied that this had happened.

Then in January last year, when similar reports of a data breach emerged, the chief of the National Health Authority, Ram Sewak Sharma, responded saying the database was “safe and secure”.