India’s government has denied reports of a leak of highly sensitive personal data that experts say could be one of the country’s worst digital security breaches.
Watchdog groups had called for the government to take action after the reported leak of data originating from its Co-Win online vaccination platform via an automated programme or “bot” on the Telegram messaging app.
Rajeev Chandrasekhar, India’s minister of state for electronics and IT, said on Wednesday the information being shared was “to a large part” fake, suggesting that any authentic data was obtained before Prime Minister Narendra Modi’s government took power in 2014.
“That so-called breach was not from Co-Win,” Chandrasekhar said at a conference in Delhi.
The reported breach has raised concerns about data security in a country that prides itself on having built one of the world’s largest digital public infrastructure networks, which it is touting internationally during its current presidency of the G20.
The Co-Win platform contains data such as Covid-19 vaccination records, government-issued ID numbers, birthdays and in some cases passport numbers of about 1bn of India’s 1.4bn residents.
Cyber security researchers and media outlets have reported verifying some of the individual data of politicians and other individuals that was leaked by the bot before it was removed from Telegram
Chandrasekhar said that an initial investigation found the data probably came from a database owned by the Telegram bot’s unidentified operator.
“How old the data is, where did the data come from, how much of it is fake, and is this a deliberate attempt to mimic a breach, is being investigated,” the minister said.
Earlier this week, India’s health ministry, which manages the Co-Win database, denied reports the bot had been able to access individuals’ data using their mobile numbers or numbers issued as part of the government’s “Aadhaar” digital ID scheme. The reports were “without any basis and mischievous in nature”, the ministry said.
The ministry added that the government’s Indian Computer Emergency Response Team would “look into this issue”.
Cybersecurity researchers said the government had not yet made clear whether the allegedly leaked data might have come from a copy of an official database shared elsewhere.
“The issue is there are databases out there and the number of leaked databases are increasing day by day,” said Anivar Aravind, a public interest technologist. “Leaks are becoming everyday occurrences in India.”
CloudSek, a cyber security company, said in a report this week that while the hackers probably “do not have access to the entire Co-Win portal nor the back end database”, they might have previously been able to access data by stealing the login credentials of health workers.
The Modi government has championed its online infrastructure push, known as the India Stack, as a model for other countries, but has faced criticism in India for what civil liberties groups claim are inadequate controls on the use of data.
“It’s up to the government to explain this to Indians,” said Srinivas Kodali, a researcher on data and the digital economy based in Hyderabad. “If this were a private company, we’d be blaming the company, but in this case it’s a government system.”
Opposition politicians have leapt on the apparent leak to criticise the Modi government, asking among other things why Co-Win was still holding on to Indians’ data when India’s vaccination programme was now largely over.
“What other databases are linked to the CoWIN database that has led to this vulnerability?” Jairam Ramesh, the Congress party’s general secretary for communications, wrote on Twitter.
