CoWIN data leak claim that was made on the dark Web and circulated on social media on Thursday has been denied by the government. In response to the social media posts alleging the sale of data pertaining to 150 million people vaccinated by the COVID-19 vaccines in the country, the Ministry of Health and Family Welfare said that prima facie, the reports appeared to be fake. The ministry claimed that all the vaccination data it collected through the CoWIN platform was stored in a “safe and secure digital environment” and was not shared with any third parties.
Through a brief statement released while responding to the data leak claims, the ministry notified that despite initially considering the reports fake, the matter is being investigated by the Indian Computer Emergency Response Team (CERT-In) of the Ministry of Electronics and Information Technology (MeitY).
“Our attention has been drawn towards the news circulating on social media about the alleged hacking of CoWIN system. In this connection we wish to state that CoWIN stores all the vaccination data in a safe and secure digital environment,” said RS Sharma, Chairman of the Empowered Group on Vaccine Administration.
Cybercrime intelligence platform DarkTracer first brought the matter into limelight on Thursday when it tweeted a screenshot showing the sale of data allegedly related to 150 million people vaccinated in the country. A reseller on the dark Web named Dark Web Market was claimed to have that data for sale at $800 (roughly Rs. 58,300). The listing by the reseller alleged that the data included name, mobile number, Aadhaar ID, and geolocation information about the affected people.
Sharma dismissed the claim and said that no CoWIN data was shared with any entity outside the CoWIN environment. “The data being claimed as having been leaked, such as geo-location of beneficiaries, is not even collected at CoWIN,” he added.
In addition to the government's response, cybersecurity expert Rajshekhar Rajaharia refuted the data leak claim made by the reseller. He stated on Twitter that it was nothing but a scam.
[Alert] #CowinPortal Not Hacked!! Some Fake#DarkwebLeakMarket are claiming to sell data of 150 Million COVID19 Vaccinated People of India. It's completely fake. It's a Bitcoin Scam. Don't Trust. Check Screenshots. They are listing fake leaks. #Infosec @journoprasoon @ETtech pic.twitter.com/c39IGDT4dz
— Rajshekhar Rajaharia (@rajaharia) June 10, 2021
Bengaluru-based security researcher Karan Saini also pointed out that the data sample suggesting the hack has not yet been seen. Although the reseller on the dark Web is claiming to offer some data for a sample, it has not been provided for free access. This is unusual as hackers on the dark Web often provide free samples of the data they are selling.
would advise folks to be cautious of 'alerts' posted here by companies that have a self-serving financial interest in creating/spreading FUD around data leaks, ty— Karan Saini (@squeal) June 10, 2021
The government takes COVID-19 vaccine registrations through Aarogya Setu and Umang apps — in addition to the CoWIN portal. It also recently made guidelines to allow booking of the vaccines through third-party apps. However, CoWIN has so far been used as a centralised platform for COVID-19 vaccine registrations across the country.
According to the latest data available on the CoWIN dashboard, the platform processed more than 27 crore registrations and enabled over 24 crore vaccination doses.