Science & Tech

CoWIN Vaccination Data Exposure

  • Data breach reports: The Health Ministry disputed rumours of a data breach involving COVID vaccination beneficiaries on Monday, claiming that such reports were untrue and malicious in character.
  • CERT-In investigation: To ascertain the facts, the Indian Computer Emergency Response Team (CERT-In) has been ordered to investigate the claimed data breach issue and provide a report.
  • Data security assurance: The Ministry insists that the CoWIN (Covid Vaccine Intelligence Network) interface is totally secure, with proper controls in place to protect data privacy.

About CoWIN

  • CoWIN was created and is owned and controlled by the Ministry of Health.
  • Policy choices are overseen by the Empowered Group on Vaccine Administration (EGVAC), which is chaired by the previous CEO of the National Health Authority. It is made up of representatives from the Health Ministry and the MeitY (Ministry of Electronics and Information Technology).

Assessment of Alleged Breach

  • The following are the results of the CERT-In review: The CERT-In review concluded that there was no direct breach of the CoWIN app or database.
  • Telegram bot data source: The Telegram bot accessed data from a second threat actor database, which contained previously compromised or stolen data.
  • There is no direct violation of CoWIN: According to the Ministry, it does not appear that the CoWIN app or database was directly compromised.

CoWIN Data Access Clarification

  • There are three ways to access data: The Ministry describes three methods for gaining access to data on the CoWIN portal: user access, vaccinator access, and authorised third-party applications.
  • Data sharing with Telegram bot: According to the Ministry, data cannot be exchanged with the Telegram bot without first passing one-time password (OTP) verification.
  • CoWIN simply collects the year of birth and does not gather an individual’s address.

Questions Unanswered and API Access

  • Uncertainty about recent breaches: The Ministry has not stated specifically whether the CoWIN database was compromised lately or in the past.
  • Insights regarding bot accuracy are lacking: The Ministry’s statement provides no information about the accuracy of the Telegram bot’s retrieval of citizens’ data from the CoWIN database.
  • API access without OTP: The Ministry acknowledges the existence of an API that permits data sharing without OTP, but emphasises that only requests from reliable whitelisted APIs are accepted.

Aadhaar Data and Concerns

  • Aadhaar details accuracy: Concerns have been raised about the accuracy of showing Aadhaar numbers relating to mobile numbers, as the government has never officially acknowledged any breaches of Aadhaar data.
  • Clarification is required: The Ministry’s statement does not explain how the Telegram bot accurately presented Aadhaar numbers.
  • Addressing security concerns: The Ministry should address security concerns about Aadhaar data and give transparency about its security procedures.

Future Steps and Data Governance Policy

  • Empowering CERT-In: The Health Ministry has requested a final report from CERT-In to investigate the alleged data breach incident thoroughly.
  • National Data Governance policy: The Ministry highlights the finalization of the National Data Governance policy, which aims to establish a common framework for data storage, access, and security standards across the government.
  • Awaited response from CERT-In: The Ministry is awaiting a response from CERT-In regarding the issue, which will provide further insights into the nature of the breach.

Prior Leaks and Assurance

  • Assurances of secure infrastructure: According to health officials, CoWIN boasts cutting-edge secure infrastructure and has never experienced a security compromise.
  • Previous claims were dismissed: Previous reports of data leaks, such as the ‘Dark Leak Market’ event, were disregarded by health officials, who emphasised the importance of citizen data security.
  • CoWIN has adopted security measures such as a web application firewall, frequent vulnerability assessments, and OTP authentication to ensure data security.

Consequences of this data leak

  • Identity theft dangers: Individuals are at danger of identity theft as a result of the disclosed data, as sensitive information might be utilised for fraudulent purposes.
  • Scammers with access to personal information may undertake targeted scams and phishing assaults, resulting in financial loss and potential injury to persons.
  • Loss of confidence in government systems: The data leak erodes public trust in the government’s ability to protect sensitive information, undermining trust in the vaccination programme and other government programmes.
  • Damage to reputation: The event may taint the reputation of the CoWIN platform and linked government entities, undermining their credibility in managing sensitive data.
  • Concerns about data security may discourage individuals from participating in the vaccine programme, hampering efforts to restrict the spread of COVID-19.
  • Accountability demands: The data leak leads demands for accountability from the involved government institutions, as well as the development of tougher data protection measures for citizens.


  • The CoWIN portal data leak event raises severe concerns regarding the privacy and security of users’ personal information.
  • While the Ministry of Health insists that the CoWIN app and database were not directly compromised, access to sensitive data via a Telegram bot raises concerns about the system’s integrity.
And get notified everytime we publish a new blog post.