Sunday, June 16, 2024

CoWIN Data Leak – Personal Data of COVID Vaccine Recipients Leaked on Telegram

The information of hundreds of thousands of Indians who received the COVID vaccination was exposed in a significant data breach and posted on a Telegram channel.

The Fourth News, a Malayalam news portal, said that a Telegram bot on the channel “hak4learn” was providing access to the private information of millions of Indians.

As mentioned by the channel operator, you may access documents of the mobile number registered on the CoWin site.

It is also feasible to determine which vaccination was given and where it was given.

The CoWIN vaccination monitoring app from India, which has more than 1 billion registered users, is noteworthy.

“The scale of the data breach is what makes it hard to guess the repercussions,” says Srikanth Lakshmanan, a researcher who runs the digital payments collective Cashless Consumer. 

“Conservative estimates mean at least personal data of several hundred million users was exposed.”

List Of Individuals Whose Data Was Exposed

Several reports claim that sensitive information, including a person’s phone number, gender, ID card details, and date of birth, was exposed on Telegram. By providing a person’s name, a Telegram bot might obtain it.

Local news media have used the bot to gain access to the private data of politicians. The bot stopped functioning on the morning of June 12.

Since the bot was probably merely a shop window for whoever hacked the database, the fact that it has been shut down doesn’t indicate the breach is done, according to Lakshmanan.

“Usually, hackers reveal a slice of data publicly via a bot or web page to prove to the world they have said data and then sell it on the dark web,” Lakshmanan says. 

“While the bot is down now, we don’t know where all the data is being traded.”

The Cowin Portal Of The Health Ministry Is Completely Safe

According to the health ministry, allegations that the CoWIN site has been compromised are “without any basis” and the organization in charge of handling cybersecurity issues, the Computer Emergency Response Team, has been requested to look into the accusations.

The government said that the Co-WIN portal of the health ministry is completely safe, with adequate safeguards for data privacy

“The development team of COWIN has confirmed that there are no public APIs (application programming interface) where data can be pulled without an OTP (one-time password). In addition to the above, there are some APIs which have been shared with third parties such as ICMR (Indian Council of Medical Research) for sharing data,” the ministry said in its statement.

“It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the CoWIN application,” it added.

According to the health ministry, an internal exercise has also been started to assess the CoWIN security procedures that are now in place.

Minister Rajeev Chandrasekhar said, “National Data Governance policy has been finalized that will create a common framework of data storage, access and security standards across all of government.”

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles