CoWIN Data Leak: Hacker explains how he managed to get Aadhaar, PAN, address, other details of users

CoWIN Data Leak: Hacker explains how he managed to get Aadhaar, PAN, address, other details of users


CoWIN is the official portal for registering and booking appointments for Covid-19 vaccination in India. It was launched in January 2021 and has been used by over a billion people so far. However, recently, there have been reports of a data breach that allegedly exposed the personal and sensitive information of millions of users who registered on CoWIN.

What happened?

On June 5, 2023, Rakesh Krishnan, a senior threat analyst in an IT company, claimed on LinkedIn and Twitter that CoWIN had been hacked and the data was out in the public domain. He said he had contacted the hacker who had posted CoWIN's data on an Indonesian Telegram leak channel, where data breaches from various countries are regularly publicised for sale.

According to Krishnan, the hacker had this data for the past one year and had even reported it to the government, but no action was taken. He said the hacker was selling the data to only one person for $400 (Rs 33,000) and was accepting payment only via cryptocurrency.

The data allegedly included users' names, phone numbers, Aadhaar numbers, passport numbers, date of birth, address and vaccination status. The hacker claimed to have access to 150 million records of CoWIN users.

On June 12, 2023, a Malayalam news portal reported that it had accessed the data on Telegram through a bot that randomly generated users' details when a phone number was entered. The News Minute also reported that it had verified the data through the same bot and found it to be accurate.

How did the government respond?

The government denied any data breach of CoWIN and said that the portal was completely safe and secure. The Minister of State for Electronics and IT Rajeev Chandrasekhar said that the Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency, had reviewed the alleged breach and found that CoWIN was not "directly breached".

He said that the data being accessed by the bot was from a "threat actor database", which seemed to have been populated with previously stolen data. He also said that CoWIN did not collect users' date of birth or address, and that without an OTP (one time password), data could not be shared with the bot.

The Ministry of Health also issued a press release where it explained the three ways in which data on CoWIN can be accessed: by users through OTP authentication, by vaccinators who are tracked and recorded by the system, and by third party applications that have been authorised to access CoWIN APIs (application programming interfaces).

The Ministry said that there was one API that allowed sharing data by using just a phone number, but it was very specific and only accepted requests from a trusted API that had been whitelisted by CoWIN.

What are the implications?

The alleged data breach of CoWIN has raised serious concerns about the privacy and security of users' personal and sensitive information. If true, it could expose millions of people to identity theft, fraud, scams, phishing, spamming and other cyber crimes.

Experts have called for more transparency and accountability from the government regarding the incident and urged it to conduct a thorough investigation and audit of CoWIN's security systems. They have also demanded stringent rules and compliance for data protection and privacy in India.

Some experts have also questioned the government's claims and said that they raise more questions than they answer. For instance, how did the hacker get access to such a large amount of data for so long? How did he manage to bypass CoWIN's security measures? How did he link users' phone numbers with their Aadhaar and passport numbers? How did he verify the accuracy of the data? How many people have bought or accessed the data so far? And most importantly, how can users protect themselves from potential harm?

What can users do?

While there is no official confirmation or clarification on whether or not CoWIN's data has been leaked or compromised, users can take some precautionary steps to safeguard their online identity and information. Some of these are:

- Change passwords and PINs of online accounts regularly and use strong and unique passwords for different accounts.
- Enable two-factor authentication or multi-factor authentication wherever possible for extra security.
- Avoid clicking on suspicious links or attachments in emails, messages or social media posts that claim to be from CoWIN or related to Covid-19 vaccination.
- Beware of phishing calls or messages that ask for personal or financial details or offer fake vaccination certificates or benefits.
- Monitor credit reports and bank statements for any unusual or fraudulent transactions and report them immediately.
- Update antivirus and firewall software on devices and use a secure network for online activities.
- Report any data breach or cyber crime to the authorities and seek legal help if needed.

CoWIN is a crucial platform for India's fight against Covid-19 and its data security is of paramount importance. Users have the right to know how their data is collected, stored, used and shared by the government and its partners. They also have the responsibility to protect their data from unauthorized access and misuse by cyber criminals. By being vigilant and aware, users can help prevent data breaches and safeguard their online privacy.

Source
(3) Two Days After CoWIN Data Leak Report, Concerns Mount. https://thewire.in/tech/cowin-data-leak-certin-update-scam-identity-theft-aadhaar.
Tags
Muskan

Posted by Muskan

Post a Comment

0 Comments