Vajram-And-RaviVajram-And-Ravi
hamburger-icon

CoWIN Data Breach: What does the alleged data leak reveal?

26-08-2023

01:17 PM

timer
1 min read
Mains GS-I: Social Issues
CoWIN Data Breach: What does the alleged data leak reveal? Blog Image

What’s in today’s article?

  • Why in News?
  • The CoWIN Portal
  • Significance of the Portal
  • CoWIN Data Breach
  • How did these Data Breach?
  • Government Response on the Recent Data Breach
  • Way Ahead

 

Why in News?

  • According to reports, a bot on the messaging app Telegram is reportedly returning personal information of Indian citizens who enrolled with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes.
  • The bot revealed personal details like name, Aadhaar and passport numbers upon entry of phone numbers.

 

The CoWIN Portal:

  • CoWIN is a government-owned web portal set up in 2021 to administer and manage India’s COVID-19 vaccine rollout.
  • The platform tracks vaccines and beneficiaries at the national, State, and district levels on a real-time basis.
  • It monitors vaccine utilisation and wastage and maintains an inventory of the vials.
  • For citizens, CoWIN verifies identity, helps schedule vaccine appointments, and issues a vaccine certificate.
  • The platform is a microservices-based, cloud-native architecture developed from the ground up on Amazon Web Services (AWS).
    • A microservice architecture is a pattern that arranges an application as a collection of loosely linked, fine-grained services.
    • These services interact with each other through certain set protocols.

 

Significance of the Portal:

  • The health register-style platform leverages existing public digital infrastructure like the -
    • Electronic Vaccine Intelligence Network (eVIN), an app that provides data on vaccine cold chains in the country;
    • Digital Infrastructure for Verifiable Open Credentialing (DIVOC), a vaccine certificate issuer; and
    • Surveillance and Action for Events Following Vaccination (SAFE-VAC), a vaccine adverse event tracker.
  • The database captures information flowing from four separate input streams -
    • Citizen registration;
    • Health centres;
    • Vaccine inventory; and
    • Vaccine certificates.
  • Each stream functions independently, and at the same time exchanges data to minimise redundancies.

 

CoWIN Data Breach:

  • This is not the first-time reports about data leaks have emerged.
  • In January 2022, the personal data of thousands of people in India were reportedly leaked from a government server.
    • The information included COVID-19 test results, phone numbers, names and addresses of citizens.
  • In December 2022, in a separate security breach, an Iranian hacker claimed to be in possession of data from the CoWIN database.

 

How did these Data Breach?

  • Cloud providers like AWS typically provide security only for the underlying infrastructure and not for securing the applications and databases.
  • Legacy systems deployed in virtual servers are the weak links in the chain, providing a perfect route for hackers to gain entry into a database.
  • In past data breaches, cybersecurity experts have attributed data leaks to human error or negligence in setting up databases in the cloud.
  • Misconfiguring a system, or involvement of third-party apps with limited privacy features, could have also exposed user data to unauthorised people.

 

Government Response on the Recent Data Breach:

  • The Health Ministry denied recent reports of a data breach and said the allegations were mischievous in nature.
  • It added that the Indian Computer Emergency Response Team (CERT-In) was reviewing the existing security infrastructure of the portal.
  • The Ministry of Electronics and IT said the nodal cyber security agency had reviewed the alleged breach and found that the CoWIN platform was not directly breached.

 

Way Ahead:

  • In 2017, the Supreme Court of India (in KS Puttaswamy case) recognised privacy as a fundamental right, highlighting the need to protect personal information.
  • However, such leaks reveal that sensitive personal data of millions of Indian citizens who signed up for the COVID-19 vaccination is in the hands of cybercriminals.
  • Therefore, a data protection law could be a useful tool in fixing accountability and building safeguards around the use and processing of personal data.

 

Q1) What is the Indian Computer Emergency Response Team (CERT-In)?

It was formed in 2004 by the Government of India under the IT Act, 2000. It is an office within the Ministry of Electronics and Information Technology and is the nodal agency to deal with cyber security threats like hacking and phishing.

 

Q2) What is the KS Puttaswamy case?

Also known as the Right to Privacy verdict, it is a landmark decision (2017) of the Supreme Court of India, which holds that the right to privacy is protected as a fundamental right under Articles 14, 19 and 21 of the Constitution of India.

 

Source: Explained | What does the alleged CoWIN data leak reveal?

logo

© 2024 Vajiram & Ravi. All rights reserved