HQ/EMEAFind out how we can help your business
The CoWIN portal, a platform for COVID-19 vaccination registration in India, has fallen victim to a massive data breach, resulting in the potential compromise of personal information belonging to countless Indian citizens.
The alleged breach has resulted in the availability of the personal data of every individual registered with the CoWIN portal through the messaging app Telegram.
With a huge user base of over one billion registered users, the CoWIN data breach has raised alarms among government leaders and privacy advocates.
An alarming vulnerability in the CoWIN portal showed that by inputting a mobile number registered with the portal into a Telegram bot, sensitive information such as the vaccination ID card number, gender, birth year, and the vaccination centre where a person received their doses is revealed.
This data breach has gone beyond the mere exposure of personal details and has now put the Aadhaar card, Voter ID, and PAN Card numbers of thousands of Indian citizens at risk, making them easily accessible to anyone on Telegram. For context, Aadhaar is a unique 12-digit identity number issued to Indian citizens and resident foreign nationals based on their biometric and demographic information.
Researchers also discovered that the CoWIN data breach has reached past individual registrations. Investigations have confirmed that if multiple individuals had registered for COVID-19 vaccinations using the same mobile number, the Telegram bot would inadvertently disclose the personal details of all the individuals in one go.
Despite reaching out to the Ministry of Health and Family Welfare, security researchers have not yet received an official response regarding the CoWIN data breach as of this article.
How the data leak transpired on Telegram remains unclear, raising questions about the effectiveness of the CoWIN portal’s supposedly secure One-Time Password (OTP) system.
Based on our team’s investigations here at iZOOlogic, the alleged threat group behind this incident is the Milad Leaks, a cybercriminal group that had recently been launching attacks against the infrastructures of the Indonesian government.
The CoWIN data breach incident has highlighted the exposure of sensitive data, requiring a thorough investigation, identification of system flaws, and prompt action to enhance security measures. Protecting the privacy and personal information of Indian citizens is vital to rebuilding people’s trust in the CoWIN platform.
