The Indian government has denied reports of a breach of highly sensitive personal data in what experts say could be one of the country’s worst digital security breaches.
The regulator called on the government to take action after it was reported that data from its Co-Win online vaccination platform was leaked through an automated program or “bot” on the Telegram messaging app.
India’s Minister of State for Electronics and IT, Rajeev Chandrasekhar, said on Wednesday that the information shared was “largely” fake, suggesting that any real figures were based on Prime Minister Narendra It was acquired before the Narendra Modi government came to power in 2014.
“The so-called breach is not from Co-Win,” Chandrasekhar told a conference in Delhi.
The reported breach has raised concerns about data security in a country that prides itself on having built one of the world’s largest networks of digital public infrastructure and gained international fanfare during its current G20 presidency.
The Co-Win platform contains data such as Covid-19 vaccination records, government-issued identification numbers, birthdays and, in some cases, passport numbers for about 1 billion of India’s 1.4 billion residents.
Cybersecurity researchers and media outlets reported that the bot leaked personal data of some politicians and other individuals before it was removed from Telegram
Chandrasekhar said initial investigations found that the data may have come from a database owned by the unidentified operator of the Telegram bot.
“How long is the data, where did it come from, how much is fake, whether this is a deliberate imitation of the breach, are being investigated,” the minister said.
Earlier this week, India’s health ministry, which manages the Co-Win database, denied reports that the bot was able to access personal data using personal mobile phone numbers or numbers issued as part of the government’s “Aadhaar” digital identity scheme. The ministry said the reports were “without any basis and of a hoaxous nature”.
The government’s India Computer Emergency Response Team will “look into the issue,” the ministry added.
Cybersecurity researchers said the government has not yet clarified whether the allegedly leaked data may have come from copies of official databases shared elsewhere.
“The problem is that there are databases out there, and the number of leaked databases is increasing every day,” said Anivar Aravind, an expert in public interest technology. “In India, leaks are becoming commonplace.”
Cybersecurity firm CloudSek said in a report this week that while the hackers may not have “accessed the entire Co-Win portal or back-end database,” they may have previously been able to access data health workers’ credentials by stealing login details.
Modi’s government has championed its online infrastructure push, the India Stack, as a model for other countries, but has been criticized in India for what civil liberties groups have said is insufficient control over data use.
“It’s up to the government to explain it to Indians,” said Srinivas Kodali, a data and digital economy researcher in Hyderabad. “If it was a private company, we would blame the company, but in this case, it’s a government system.”
Opposition politicians have used the apparent leaks to criticize Modi’s government and question why the Co-Win is keeping data on Indians when India’s vaccination program is now largely over.
“What other databases are linked to the CoWIN database that caused this vulnerability?” Jarram Ramesh, General Secretary of Communications, Congress Party, wrote on twitter.