CoWIN data breach: Security experts call for precautionary measures

Reports about a breach of the CoWIN platform and that the data of millions of citizens was compromised have left citizens worried about their personal data being misused. The government has clarified that no such breach has occurred. However, since the Telegram bot was giving out data upon entering mobile numbers like Aadhaar, and date of birth before its removal, data could be available in the public domain. If this data were to fall into the wrong hands, it could be misused, leading to identity theft, digital fraud, and financial fraud.

Though the breach has not been verified, security experts say the government should take some proactive measures.

Amit Jaju, Senior Managing Director of Ankura Consulting Group (India), says that the government should now consider scenarios on how the data can be used to attack individuals, assuming this leak is real. Precautionary measures should be taken, and citizens should be instructed accordingly.

The Ministry of Health and Family Welfare clarified that the CoWIN portal is completely safe, with adequate safeguards for data privacy in place. Furthermore, security measures like a Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management, etc, are in place it said. Data is provided only on the basis of OTP authentication. All necessary steps are being taken to ensure the security of the data, it said.

Rajeev Chandrasekhar, Minister of State of Electronics and Information Technology, said CERT-In, the country’s nodal cyber security agency, immediately responded, and it does not appear that the CoWIN app or database was directly breached. He said a Telegram bot was accessing CoWIN app details based on phone numbers entered. “The data being accessed by the bot is from a threat actor database, which seems to have been populated with previously breached/stolen data from the past. It does not appear that the CoWIN app or database has been directly breached,” the minister said.

However, Akshara Bassi, Senior Research Analyst at Counterpoint Research, says, “The action plan should include limiting API access even within inter nodal agencies to reduce the risk of data breaches. Additionally, a standard framework for security, data sharing, and storage should be implemented by the government and partner agencies to reduce loopholes. The ideal case would be to start implementing ‘Zero Trust Architecture’ for all IT infrastructure.”

Also Watch: Maruti Suzuki Alto, Hyundai Creta, Mahindra Bolero, Kia Sonet: Here are the top selling cars from Maruti Suzuki, M&M, Hyundai Motor, others in May 2023