Concerns About CoWin Breach Still Remain Unaddressed, Govt Answer Lacks Detail

New Delhi: The government is yet to provide any details about the CoWin data breach one month after the incident came to light. The status and findings of the investigation continue to remain undisclosed.

The breach allegedly occurred on June 12, in which reports emerged that a bot on the messaging platform Telegram was allegedly returning personal data of Indian citizens who registered with the Health Ministry’s COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes.

When asked on July 21, by some Rajya Sabha MPs if the government had identified those responsible for the breach, Minister of State for IT Rajeev Chandrasekhar replied:

“Taking cognizance of the cyber incident regarding CoWIN data in June 2023, CERT-In coordinated incident response measures with the Ministry of Health & Family Welfare (MoHFW). The MoHFW has lodged a complaint and F.I.R has been registered by a law enforcement agency, and CERT-In has provided inputs to facilitate investigation.”

The Indian government appears to show no real concern or urgency at the breach. They had denied the breach of the CoWIN database, which contains vaccine-related and personal details of millions of Indians who had registered for vaccination during the Covid-19 pandemic. The data leak that first emerged through a Telegram bot triggered several questions about the protection of critical digital infrastructure from cyberattacks

Who is accountable for the data leak and ultimately, citizen privacy then?

1.   When asked about the government’s plan to contain the leaked information from the CoWIN database, Chandrasekhar stated, “CoWIN portal of the Ministry of Health & Family Welfare has complete security measures and adequate safeguards for data privacy with Web Application Firewall (WAF), Anti- Distributed Denialof-Service (DDoS), Secure Sockets Layer (SSL)/Transport Layer Security (TLS), Identity & Access Management and regular vulnerability assessment.”

2. On measures taken to enhance safety protocols, the Minister detailed operations undertaken by CERT-In when a data breach is reported. The reply stated that CERT-IN notifies and coordinates with affected organisations to kickstart remedial measures. The team also issues alerts and advisories regarding cyber threats and vulnerabilities and ways to protect computers and networks against them.

3. The Minister’s reply also revealed that a special advisory on security practices has been communicated by CERT-In to the Health Ministry to strengthen “resilience of the health sector” against cyberattacks.

4. Further, in June 2023, the CERT-In team also issued guidelines on information security practices for the government covering domains such as data security, network security, identity and access management, application security, third-party outsourcing, hardening procedures, security monitoring, incident management and security auditing.

5. The government also said that CERT-In has empanelled 150 security auditing organisations to support and audit the implementation of Information Security Best Practices. Additionally, a Cyber Crisis Management Plan has been formulated for countering cyberattacks and cyber terrorism for implementation by all Ministries/ Departments of Central Government, State Governments and their organizations and critical sectors.

6. A National Cyber Coordination Centre (NCCC) also has been set up by CERT-In to generate necessary situational awareness of existing and potential cyber security threats.

7. For the protection of critical information infrastructures, the National Critical Information Infrastructure Protection Centre has been set up, which also responds to cyber incidents on such infrastructure. “The Centre provides near-real-time threat intelligence and situational awareness, based on which regular alerts and tailored advisories are sent to the entities concerned with such infrastructure,” the statement added.

The government’s reply in Parliament has chosen to avoid details. Whether the Indian Computer Emergency Response Team (CERT-In) has started the investigation and identified those responsible for the breach is still unclear, leaving many questions still unanswered on the safety of the enormous private data entrusted with its custodian – the government.