On the evening of June 11, a journalist from the Kerala-based news portal The Fourth reported that a Telegram bot in a channel called “hak4learn” was offering access to the private data of millions of Indians. All a user had to do was put in a phone number or Aadhaar (India’s national ID) number, and it would return details including their name, passport number, and date of birth. The data appears to have come from India’s CoWIN vaccination tracking app, which has more than 1 billion registered users.
“The scale of the data breach is what makes it hard to guess the repercussions,” says Srikanth Lakshmanan, a researcher who runs the digital payments collective Cashless Consumer. “Conservative estimates mean at least personal data of several hundred million users was exposed.”
Local news outlets have been able to use the bot to access the personal information of politicians. WIRED couldn’t independently verify their reporting; by the morning of June 12 the bot was inactive. The fact that it has shut down doesn’t mean the breach is over, Lakshmanan says, since the bot was likely just a shop window for whoever accessed the database.
“Usually, hackers reveal a slice of data publicly via a bot or web page to prove to the world they have said data and then sell it on the dark web,” Lakshmanan says. “While the bot is down now, we don’t know where all the data is being traded.”
India’s digital public infrastructure has expanded massively over the past several years, with the growing popularity of the Aadhaar identity system, the proliferation of the digital payments system United Payments Interface, and the launch of CoWIN.
This growth has meant that there is a vast amount of public data on file, but digital rights experts worry that cybersecurity and legal frameworks around data storage haven’t kept pace with the growth.
“The data involved with government entities is organically very large,” says Tejasi Panjiar, an associate counsel at the Internet Freedom Foundation, an organization that advocates for digital rights. “Which is why there needs to be very strict data-security standards for government-based entities.”
Panjiar further said that the concern is that India doesn’t have a cybersecurity policy and that even the current data-protection framework “takes away that aspect of compensation that affected users would get,” making such leaks an even bigger cause for concern. “I think it’s a time for worry for everyone who’s been vaccinated through CoWIN,” added Panjiar.
The health ministry has said that claims that the CoWIN portal has been breached are “without any basis” and that the Computer Emergency Response Team, the agency responsible for responding to cybersecurity incidents, has been asked to investigate.
India’s IT minister, Rajeev Chandrasekhar, tweeted that the data accessed by the bot is from a “threat actor database” and that “it does not appear that CoWIN app or database has been directly breached.”
An independent report by digital risk monitoring platform CloudSEK seems to validate this to some extent. The company’s research suggests that rather than having access to the entire CoWIN database or backend, the hackers may have instead gotten hold of multiple credentials from health workers, allowing them more limited access to records.
“What CloudSEK knows with high confidence is that threat actors have access to multiple credentials that belong to health workers that could be used to access the CoWIN portal for those individual health workers and the data they have access to,” says Rahul Sasi, chief executive of CloudSEK. “What we also speculate is some sort of unauthenticated API that would have allowed attackers to query specific user details. But there is no proof at this point of time.”
CoWIN was launched in January 2021 as the foundation of India’s vaccination drive. The platform, which was also available as a mobile app, was used by people to book their vaccination slots and generate a vaccination certificate for themselves and their family members. The government at the time was criticized for making CoWIN the only way for Indians to book a vaccination appointment, excluding millions who didn’t have access to a smartphone or the internet.
This isn’t the first time the news of a CoWIN database has surfaced. In 2021, Dark Leak Market, a hacker group, said it had access to the data of 150 million Indians registered on CoWIN. The health ministry denied the claims, saying the platform stores “all the data in a safe and secure digital environment.” At the time, cybersecurity researchers said they suspected the “leak” was a scam.
