/cdn.vox-cdn.com/uploads/chorus_asset/file/23962442/acastro_STK067__03.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24247717/lp_logo_3.0.jpg){kind=logo}
/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Su)
[ad_1]
India’s Ministry of Health and Family Welfare is now probing reports of an alleged data leak from the COVID-19 vaccination platform Covid Vaccine Intelligent Network or Co-WIN.
what is this about
Several media reports have shared posts from Twitter that personal data of vaccinated individuals can be accessed using Telegram bots. The bot is believed to be able to pull those data using a person’s mobile number or Aadhaar number (unique 12 digit number).
In a statement, MOHFW denied the reports as “without any basis and mischievous in nature”.
“The Health Ministry’s Co-WIN portal is fully secure with adequate safeguards for data privacy,” it said.
The ministry has already tapped the Indian Computer Emergency Response Team to probe those reports, while an internal exercise is being conducted to review the existing security measures of the vaccination portal. In its preliminary report, CERT-In pointed out that the back-end database for the Telegram bot was not directly accessing the API of the Co-WIN database.
why it matters
According to the ministry, access to Co-WIN data is possible only through OTP authentication and at three levels:
-
Beneficiary Dashboard: Vaccinated persons can access their Co-WIN data using their registered mobile number with OTP authentication.
-
Co-WIN Authorized Users: Commentators with an authenticated log-in credentials. Their log-ins are being tracked and recorded by the system.
-
API-based access: Third party apps providing authorized access to the Co-WIN API can also access the vaccination data of an individual using only the OTP of the vaccinated beneficiary.
MOHFW clarified that a Telegram bot cannot share any Co-WIN data without a person’s OTP and it cannot capture their address.
The development team behind Co-Win assures that there is no public API that can pull data from the vaccination platform without OTPs, although there are some APIs that have been developed with third parties such as the Indian Council of Medical Research for data sharing purposes. has been shared. ,
Meanwhile, the API mentioned in the report is “very specific and requests are accepted only from a trusted API that has been white-listed by Co-WIN Applications,” the ministry said.
Additionally, the MOHFW said that the vaccination platform includes security measures including web application firewall, anti-DDoS, SSL/TLS, regular vulnerability assessments, and identity and access management.
big trend
This is the third time that there have been allegations of Co-WIN data being leaked. In January last year, it was alleged that vaccination data, including The personal information of approximately 20,000 people was being sold in an underground database market. Such reports were later dismissed by the ministry, which assured that the portal keeps people’s data “safe and secure”. Earlier, it was also reported that the COVID-19 vaccination database data leak from India was being sold on the market, which was also denied by the government.
Co-WIN went live in January 2021 to serve as a platform where citizens can book vaccination slots and download their vaccination certificates digitally. Regarded as a force for the public good, Co-WIN’s API was made open-source by the government six months later.
Meanwhile, the Government of India has Upgraded the Co-WIN platform to track all vaccinations against common preventable diseases, including measles and rubella.
