COVID-19 Vaccine Recipients’ Personal Data Leaked in Alleged Data Breach via Telegram, Centre Probing: Reports

The personal data of COVID-19 vaccine recipients in India was reportedly leaked online via a bot on a popular chat platform, allowing free access to users without the OTP required for the details stored on the CoWIN platform. According to details that surfaced on Twitter on Monday, the leaked data also includes the personal information on several politicians and journalists. The bot that served the information appears to have been blocked, and government officials are reportedly looking into reports of the leaked information.

A report by Malayala Manorama on Monday states that the personal details uploaded by users to the CoWIN portal for access to COVID-19 vaccination shots were available on Telegram via an automated bot. Screenshots of the bot in action surfaced online on Twitter earlier on Monday, and the newspaper states it was able in independently verify the claims made on Twitter. The bot appears to have been taken down after the initial reports of the data breach and Gadgets 360 was unable to test that bot on the messaging platform.

Users could input a mobile number and the bot would respond with personal information connected with the phone number such as their name, gender, date of birth, the vaccination centre, as well as details of the official ID provided by the vaccine recipient, such as their Aadhaar or passport number, according to the report, which states that entering the recipient's Aadhaar number would allow the bot to display the same details.

It is worth noting that until now, users would be able to access these details on the government's CoWIN portal after entering an OTP. However, the bot reportedly allowed access to this information with just the recipient's phone number. Trinamool Congress National Spokesperson Saket Gokhale tweeted several screenshots of the personal details of various politicians and journalists found using the Telegram bot.

In January 2021, National Health Authority CEO RS Sharma tweeted “#CoWIN has state-of-the-art security infrastructure and has never faced a security breach. Data of our citizens on CoWIN is absolutely #safe and #secure. Any news about data leaks from CoWIN holds no merit.”

Meanwhile, NDTV reported that government officials are probing the source of the alleged leak of personal information via the Telegram bot. “The government is investigating whether the data was sourced through CoWIN or some other application,” official sources told NDTV.