Context: There was an alleged breach of personal data of beneficiaries who received COVID vaccination from the CoWIN portal, including Aadhaar, passport details, gender, date of birth, etc.
About the CoWIN (Covid Vaccine Intelligence Network) portal
- The Indian government’s cloud-based IT solution for planning, implementation, monitoring, and evaluation of Covid-19 vaccination in India is called CoWIN.
- This allows the system to monitor the utilization, wastage, coverage of Covid-19 vaccination at national, state, district and sub-district level.
- The Ministry of Health and Family Welfare owns the platform, which was previously used for conducting Pulse Polio and other crucial immunization programs across the country.
- CoWIN is essentially an extension of EVIN (Electronic Vaccine Intelligence Network).
What’s in Today’s Article?
- The CoWIN Portal
- Significance of the Portal
- CoWIN Data Breach
- How did these Data Breach?
- Way Ahead
The CoWIN Portal:
- CoWIN is a government-owned web portal set up in 2021 to administer and manage India’s COVID-19 vaccine rollout.
- The platform tracks vaccines and beneficiaries at the national, State, and district levels on a real-time basis.
- It monitors vaccine utilisation and wastage and maintains an inventory of the vials.
- For citizens, CoWIN verifies identity, helps schedule vaccine appointments, and issues a vaccine certificate.
- The platform is a microservices-based, cloud-native architecture developed from the ground up on Amazon Web Services (AWS).
- A microservice architecture is a pattern that arranges an application as a collection of loosely linked, fine-grained services.
- These services interact with each other through certain set protocols.
Significance of the Portal:
- The health register-style platform leverages existing public digital infrastructure like the –
- Electronic Vaccine Intelligence Network (EVIN), an app that provides data on vaccine cold chains in the country;
- Digital Infrastructure for Verifiable Open Credentialing (DIVOC), a vaccine certificate issuer; and
- Surveillance and Action for Events Following Vaccination (SAFE-VAC), a vaccine adverse event tracker.
- The database captures information flowing from four separate input streams –
- Citizen registration;
- Health centres;
- Vaccine inventory; and
- Vaccine certificates.
- Each stream functions independently, and at the same time exchanges data to minimize redundancies.
CoWIN Data Breach
- The hacker behind the CoWIN data leak has come forward and admitted responsibility for the recent breach related to the platform used for Covid-19 vaccination registration.
- In an exclusive interaction with India Today, the hacker explained that he did not breach the CoWIN platform itself, but instead found vulnerabilities in an associated platform. He did not name the platform.
- The hacker operated a Telegram chatbot that generated personal details of vaccinated individuals, and they accessed this information through the vulnerabilities in the other platform.
- Earlier reports indicated that the entire CoWIN data had been hacked and leaked on Telegram.
- The screen grabs of leaked data included personal information such as names, mobile numbers, Aadhaar card details, PAN card details, date of birth, and vaccination center information. In some instances, even the passport details were leaked.
How did these Data Breach?
- Cloud providers like AWS typically provide security only for the underlying infrastructure and not for securing the applications and databases.
- Legacy systems deployed in virtual servers are the weak links in the chain, providing a perfect route for hackers to gain entry into a database.
- In past data breaches, cybersecurity experts have attributed data leaks to human error or negligence in setting up databases in the cloud.
- Misconfiguring a system, or involvement of third-party apps with limited privacy features, could have also exposed user data to unauthorised people.
Government Response on the Recent Data Breach
- The Health Ministry on Monday said reports of data breach of beneficiaries who received COVID vaccination are “without any basis and mischievous in nature.” It said the Indian Computer Emergency Response Team (CERT-In) had been asked to investigate the issue and submit a report.
- The CoWIN (Covid Vaccine Intelligence Network) portal is completely safe with adequate safeguards for data privacy, the Ministry maintained.
- Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, tweeted, clarifying that the CoWIN app or database has not been directly breached. He mentioned that the data being accessed by the bot from a threat actor database appears to have been populated with previously breached or stolen data.
- The database, he said, was other than CoWIN.
Way Ahead
- In 2017, the Supreme Court of India (in KS Puttaswamy case) recognised privacy as a fundamental right, highlighting the need to protect personal information.
- However, such leaks reveal that sensitive personal data of millions of Indian citizens who signed up for the COVID-19 vaccination is in the hands of cybercriminals.
- Therefore, a data protection law could be a useful tool in fixing accountability and building safeguards around the use and processing of personal data.
Read also:- Vaccination Trials-Path
CoWIN Data Leak & Data Protection Regime in India,CoWIN Data Leak & Data Protection Regime in India,CoWIN Data Leak & Data Protection Regime in India
