The CoWIN Portal Breach: A Crisis in Indian Data Security

The CoWIN portal serves as India’s central platform for COVID-19 vaccine registration. As reported by Twitter user @SaketGokhale, CoWIN has recently suffered a grievous data breach, resulting in the public exposure of personal information for every Indian citizen registered on the CoWIN portal via the Telegram messaging application.

CoWIN, as described on its official website, is India’s rapidly expanding digital backbone, and one of the largest COVID-19 vaccination initiatives worldwide. It’s an expandable, inclusive, and open platform for nationwide vaccination, capable of monitoring vaccine utilization, coverage, and wastage throughout the system. This citizen-centric solution assists with vaccine registration and scheduling, regular reminders and communication, providing vaccination certificates to citizens, and facilitating project managers and vaccine recipients to organize meetings, compile reports, and monitor progress.

Within the leaked database, detailed personal information of almost every Indian citizen vaccinated against COVID-19 is freely and easily accessible, including Indian political leaders. Saket Gokhale, a leader of the Indian National Congress, has condemned this leak on Twitter, criticizing the Modi government’s inadequate data protection and inaction.

According to Gokhale, when a CoWIN portal registered phone number is entered into a Telegram bot, it automatically discloses the Aadhaar number used for vaccination (a unique 12-digit identity number issued based on the biometric and demographic data of Indian citizens and foreigners living in India), along with details such as gender, birth year, and the center where the individual was vaccinated. Reportedly, the breach also exposes the voter ID, passport numbers, PAN numbers, and more of tens of thousands of Indian citizens.

As corroborated by various news reports, if multiple individuals register using the same phone number, the Telegram bot will provide the details of all these people at once. Consequently, if a family uses a single phone number to book vaccination appointments for multiple members, their personal information would be collectively exposed.

The CoWIN portal reportedly features a One-Time Password (OTP) security system, and it is currently unclear how this data breach occurred.