Although the government has issued strong—but confusing—denials, a hacker appears to have accessed the data of over a billion people who registered for the Covid vaccine. We do our best to explain what happened and how—based on fairly thin reporting.
What? My personal vaccine information is public?
Quick reminder: Indians who wanted to get a Covid vaccine had to register with the government database known as CoWIN. Entire families, up to six people, could register together using a single phone number. The process required you to upload one of several approved forms of ID.
The Telegram bot: Until late yesterday, a Telegram bot called Truecaller was spitting out all the details of a person’s personal information—when provided with their phone number or Aadhaar ID. The details included name, date of birth, gender, phone number and location of the first vaccine dose—and the registered ID, be it passport, Aadhaar or voter card.
The story first broke on a Malayalam news portal—whose reporter successfully accessed personal data of Kerala Health Minister Veena George, Congress General Secretary Jairam Ramesh, Union Minister of State Meenakhi Lekhi and others. Soon other media outlets started releasing screenshots of similar results. Example, The News Minute:
Worrying points to note: The bot spit up the details of everyone who was registered with the CoWIN database—using the same phone number. These would typically be family members—such as DMK leader Kanimozhi Karunanidhi’s son. One reporter accessed information of a minor—which is even more worrying:
I used the publicly available Aadhaar card number of a minor who had died by suicide. The existence of her details showed that this bot has data till at least January 2022 when the vaccination for people under 18 began. And India had already crossed the one billion vaccination mark before that.
The bigger nightmare: The bot also provided the exact date of birth—which is highly sensitive information, as security experts point out:
What is unique to this data breach is that the date of birth has been leaked too which is not just linked to your phone number, Voter IDs, passport, but also your mutual funds account, your insurance policy, your other accounts, and is often used to reset passwords as well. And date of birth is very critical from a security standpoint which is now compromised.
But here’s the real mystery: The CoWIN database only has the year—not the entire date of birth.
The silver lining: The bot was taken down after it received media attention. It is now back online but is no longer leaking CoWIN data.
And what does the government have to say about this?
The IT Minister: Rajeev Chandrasekhar—the minister of state for electronics and information technology—was the first to issue a denial but only confused matters:
“The data being accessed by bot from a threat actor database, which seems to (have) been populated (with) previously stolen data stolen in the past,” Chandrasekhar wrote. “It does not appear that CoWin app or database has been directly breached.” In a fresh tweet at 5.50 pm, Chandrasekhar clarified that his earlier tweet had referred to “previously breached or stolen data from databases other than CoWin.”
The health ministry: then issued a statement, saying CoWIN is “completely safe with adequate safeguards for data privacy.” It insisted that “the backend database for the Telegram bot was not directly accessing” the database—and no bot can access this data without an OTP confirmation.
The gaping holes: The government’s assertions were riddled with gaps—which did not offer comfort. They did not explain how the bot was accessing vaccine information—if the data did not come from CoWIN. Nor did they clarify which other database had been breached.
Also telling: The use of deliberately vague phrases such as “not directly breached” and “not directly accessing.” It left plenty of room for ‘indirect’ access and breaches—though logically speaking, there is no such thing. Either a database is leaking information to an unauthorised person or it is not. The method used to hack into it—direct or indirect—is sorta besides the point.
So has the data leaked or not?
According to the person who developed the Telegram bot: Yes! Here’s how he did it.
The issue of access: The health ministry laid out three ways someone can access the CoWIN database:
- The user uses an OTP sent to their registered mobile number to log in.
- The health worker who administers the vaccination can access the info—but their activity is meticulously logged by the system.
- Third party apps can access personal level data of vaccinated people—but only with OTP authentication.
In other words, your access either requires an OTP or is tracked by the system.
The great exception: to this rule is an API—or application programming interface—which allows apps to ‘talk’ to another. Example: your weather app may talk to the met department’s database. The government admits that there is one CoWIN API that allows a user to access information with just a mobile number: This API only accepts data requests from other “trusted” APIs that have been whitelisted by the government. As Indian Express notes, “There is no clarity on what this trusted API does and why it has been afforded the privilege of bypassing the entire OTP mechanism.”
What the hacker did: They seem to have exploited this specific hole in the system. According to an India Today exclusive, they first got into an online child health platform that’s part of the health ministry. Then they accessed the credentials of ANMs (Auxiliary Nurse Midwife)—which they used to retrieve information from the CoWIN database. Presumably, this platform used one of the whitelisted APIs.
Some small comfort: According to the hacker, while this method can access information one person at a time, it does not allow for a massive data dump. But it certainly is not accessing any old or previously breached database—contrary to what the government may claim.
The bottomline: No doubt the government has already moved quickly to fix this gaping flaw. But it offers little assurance that the data won’t leak through some other—yet undetected—hole.
Quint has the best overview of the entire incident. The News Minute used the Telegram bot and explained how it worked. Indian Express has a good report on how the government’s response raises more questions than answers. India Today’s exclusive interview with the hacker behind the leak is worth a read.