CoWIN data hacked? Govt says data breach reports appear fake, MeitY to investigate

The Union Health Ministry on Friday stated that reports of an alleged breach of data related to the vaccination status and personal information of 150 million Indians prima facie appeared to be fake, following reports of a data breach that began to do the rounds earlier in the day.

On Friday, a website called Dark Leak Market was reportedly selling a database of COVID-19 vaccinated Indian users with a price of $800 mentioned on the website, according to a report by Moneycontrol. While the website stated that it was not the “original leaker” of the data, it claimed to have information including the vaccination data of 150 million people including their names, Aadhaar numbers and their locations, the report states.

At 10:34 PM on Friday, Minister for Health & Family Welfare Dr Harsh Vardhan tweeted: Reports of (the) CoWIN platform being hacked, prima facie appear to be fake. Out of abundant precaution, (an) emergency response team of (the Ministry of Electronics & IT, or MeitY) is investigating the matter. Data speculated to have been leaked such as geo-location of beneficiaries, is not even collected on Co-WIN.”

“All data on #CoWIN is stored in a secure digital environment and is not shared with anyone outside of it,” Dr Harsh Vardhan said in a follow-up tweet. Meanwhile, independent security researcher Rajshekhar Rajaharia tweeted that the CoWIN portal was not actually hacked, but that the claim of the data breach on the platform (by a dark web portal that claimed to be “reselling” the data) was actually a “Bitcoin scam”.

Rajaharia also tweeted images that claimed the “leaked documents” posted on the site about previous data leaks were fake – such as the controversial Mobikwik hack, which he claims isn't available on the dark web – and SBI YONO, which has not suffered any known breaches yet. “This market is frequently posting fake data leaks and scamming people. They are just taking Bitcoin for nothing,” he explained, adding that there was no data sample available to verify the authenticity.

Meanwhile, lawyer and IFF head Apar Gupta urged caution, stating that it was necessary for the Indian government's Computer Emergency response team (or Cert-in) to step in and independently investigate and verify the issue. He also pointed out that CoWIN did not have a privacy policy until the Delhi High Court issued directions on June 2. “We must resist the temptation to issue a blanket denial. Investigate, verify, please!” he tweeted on Friday evening. Gupta later retweeted Rajaharia's claim that the leak was a hoax, stating “it does focus the conversation on data leaks. We do need breach notification obligations”.