The government on Monday dismissed media reports claiming breach of data of beneficiaries from the Co-WIN portal and said such reports are without any basis and mischievous in nature. The portal is completely safe with adequate safeguards for data privacy, said the Union health ministry in a statement.
There were reports on social media that the personal data of individuals who have been vaccinated against Covid-19 is being accessed using a Telegram BOT. The reports also claimed that the BOT has been able to pull individual data by simply passing the mobile number or Aadhaar number of a beneficiary.
“It is clarified that all such reports are without any basis and mischievous in nature. Co-WIN portal of Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity and Access Management etc,” the ministry said, adding that only OTP authentication-based access of data is provided.
The ministry, however, said it has requested the Indian Computer Emergency Response Team (CERT-In) to look into the issue and submit a report.
According to the ministry, the development team of Co-Win has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar.
However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application, it said.
