There have been a set of recent reports indicating a potential large scale data breach of the CoWIN portal. Personal and sensitive data of individuals including name, gender, date of birth, address, aadhar number, mobile number and the location of their vaccination centre, can be accessed through a Telegram bot. While the extent of the data breach has to be determined, the data leaked so far seems credible.

We consider this breach to be a serious matter that puts the personal information and sensitive health data of millions of individuals at risk. It is the responsibility of the governement to protect personal data, especially, health data of its citizens, and this is indeed a dire consequence for every Indian citizen, as the registration on CoWin portal was made mandatory for obtaining a vaccine. This is nothing but a serious lapse on the part of the Cybersecurity that is supposed to be povided to the citizens private data. The government should come out with a whitepaper on this issue. It is important to note that this is not the first of its kind.

In the recent past, there have been a series of data breaches, in a number of cases, such as, BigBasket, Air India, MobiKwik data leaks. We have also made a point to alert the citizens when Covid-19 test results were being published by the BBMP (Bruhat Bengaluru Mahanagara Palike) without adequate security, thereby, making it vulnerable for a breach. It is here, that the CERT-In should have stepped in to prepare our Cybersecurity infrastructure and strengthen it, in order to prevent cyber attacks and such data breaches. At the least, it is the CERT’s duty to inform the public about the existing threats, data breaches and leaks at the earliest, so that, citizens may atleast
take some steps to secure their data.

Free Software Movement of India has been continuously raising concerns since the conceptualization of the Health Stack and CoWIN, and how sensitive information, such as Health information of the most populated country in the world, is being handled, from collection to storage, and its third-party integration.

The FSMI demands that the government should investigate this incident thoroughly and release a whitepaper detailing the extent of the breach, the reasons and any possible further vulnerabilities and enhance cybersecurity. We demand that it should be taken up on a high priority basis and ensure that the citizens’ privacy is protected.

With Regards
Kiran Chandra,
General Secretary,
Free Software Movement of India.