No CERT – in update on data leak yet

Subject : Polity

Section : National Body

Concept :

The Computer Emergency Team (CERT-in) has not released an update on its assessment of the leak yet, nor has it issued advisory on how impacted people should act to secure themselves.
Union government said that the Union health ministry has also initiated an investigative exercise related to the CoWIN service which will throw up some clues in the “next couple of days.”
There can be more sophisticated forms of hacking, including through architectural vulnerabilities in the application programming interface or API.
Programmes exchange information with each other through APIs. An expert noted that an app or a service used by any one to update hospitals’ vaccine data can act as such a gateway.

Clarification on CoWIN Data Access

Three methods of data access: The Ministry outlines the three ways in which data can be accessed on the CoWIN portal: user access, vaccinator access, and authorized third-party applications.
Data sharing with Telegram bot: The Ministry clarifies that data cannot be shared with the Telegram bot without undergoing the one-time password (OTP) authentication process.
Limited data collection: CoWIN only collects the year of birth and does not capture a person’s address.

Unanswered Questions and API Access

Uncertainty regarding recent breaches: The Ministry has not explicitly clarified whether the CoWIN database was breached recently or in the past.
Lack of insights on bot accuracy: The Ministry’s statement does not offer insight into the accuracy of the Telegram bot’s retrieval of citizens’ data from the CoWIN database.
API access without OTP: The Ministry admits the existence of an API that allows data sharing without OTP, but emphasizes that requests are accepted only from trusted whitelisted APIs.

Concerns and Aadhaar Data

Accuracy of Aadhaar details: The accuracy of displaying Aadhaar numbers corresponding to mobile numbers raises concerns, as the government has never publicly acknowledged any breaches of Aadhaar data.
Need for clarity: The Ministry’s statement does not provide clarity on how the Telegram bot accurately displayed Aadhaar numbers.
Addressing security concerns: The Ministry should address concerns regarding the security of Aadhaar data and provide transparency on its safety measures.

Future Steps and Data Governance Policy

Empowering CERT-In: The Health Ministry has requested a final report from CERT-In to investigate the alleged data breach incident thoroughly.
National Data Governance policy: The Ministry highlights the finalization of the National Data Governance policy, which aims to establish a common framework for data storage, access, and security standards across the government.
Awaited response from CERT-In: The Ministry is awaiting a response from CERT-In regarding the issue, which will provide further insights into the nature of the breach.