What does the alleged CoWIN data leak reveal?

Context : 

A bot on the messaging app Telegram is reportedly returning the personal information of Indian individuals who enrolled with the COVID-19 vaccine intelligence network (CoWIN) portal for vaccination purposes, according to claims that surfaced on June 12. Upon entering phone numbers, the bot poured out personal information such as name, Aadhaar, and passport numbers.

Indian Computer Emergency Response Team

Background:

  • The Indian government’s Ministry of Electronics and Information Technology houses the CERT-IN (Indian Computer Emergency Response Team) office.
  • It was founded in 2004 under the Ministry of Communications and Information Technology and Section (70B) of the Information Technology Act, 2000.
  • The National Critical Information Infrastructure Protection Centre (NCIIPC) within the National Technical Research Organisation (NTRO) and the National Disaster Management Authority (NDMA) under the Ministry of Home Affairs are two organisations with whom CERT-IN shares overlapping tasks.

Functions:

  • Nodal Agency: CERT-IN is the nodal organisation for dealing with phishing and other cyber security concerns in India.
  • Security Directives: To improve their security and lessen cyber risks, essential departments and organisations are issued security directives and advisories by CERT-IN.
  • Coordination: To coordinate and address the country’s cyber security and threats, CERT-IN collaborates with the Office of National Cyber Security Coordinator, the National Security Council, and the National Information Board.
  • Collaboration: To improve cyber security, CERT-IN works with other national and international organisations. For instance, it collaborated with Singapore’s Cyber Security Agency to stage the exercise “Synergy,” which intended to improve global cooperation and resilience against ransomware assaults.
  • Reporting and Analysis: To acquire insights into new trends, vulnerabilities, and attack patterns, CERT-IN gathers and analyses data on cyber security incidents. It is essential for comprehending India’s cyber threat landscape.
  • Incident Report: In the event of a cyber security incident, CERT-IN offers a coordinated response that includes incident handling, analysis, and recovery support. It helps businesses lessen the effects of cyberattacks.
  • Capacity building: To improve the cyber security expertise and understanding of people and organisations all over India, CERT-IN runs training courses, workshops, and awareness campaigns.
  • Research and development: To investigate new technologies, tools, and methods to counter increasing cyber threats, CERT-IN engages in research and development initiatives.
  • International Collaboration: To exchange knowledge, best practices, and skills in the area of cyber security, CERT-IN actively takes part in international projects and collaborations.

Points to Ponder:

The CoWIN portal keeps tabs on several COVID-19 vaccine-related developments in India:

  • Administration of vaccines:
      •  Keeps track of vaccine usage and waste at the federal, state, and local levels.
      • keeps a stock of vaccination vials to assure a sufficient supply.
  • Citizen Registration:
      • Citizens may register for the COVID-19 immunisation through this system.
      • need certain personal information like name, age, and gender, as well as the numbers from identification cards like Aadhaar and passports.
  • Appointment Scheduling:
      • Based on eligibility and the availability of vaccine slots at various health centres, appointment scheduling assists residents in scheduling their vaccination appointments.
  • Vaccine Certificates: 
      • Digital certificates are issued as proof of immunisation for various diseases.
      • used for things like accessing particular facilities and travelling.
  • Data Exchange: 
    • Combines data from many sources, such as health clinics, vaccine inventories, and vaccination certificates.
    • To reduce redundancy, each data stream operates independently but exchanges data.
  • Regarding the data breach incident:
    • The Indian Computer Emergency Response Team (CERT-In) evaluated the security architecture of the data breach incident, however, they were unable to locate any proof of a direct breach.
    • Investigations are ongoing into claims that a Telegram bot leaked user information.
    • The latest breach and other data leak cases underscore India’s persistent data protection issues.
    • Despite acknowledging the essential nature of the right to privacy, India has not yet created a thorough personal data protection framework.
    • In these situations, establishing a strong data protection framework helps address accountability and secure personal data.