Massive Data Leak from CoWIN Vaccination App Exposes Personal Information of Millions of Indians

In another recent cybersecurity incident, a Telegram bot named "hak4learn" has reportedly offered access to the private data of millions of Indians. The data includes personal information, ID documents, and phone numbers, raising serious concerns about the security of India's digital public infrastructure.

The data breach appears to have originated from India's CoWIN vaccination tracking app, which boasts over 1 billion registered users. The scale of the data breach suggests that the personal data of several hundred million users may have been exposed, marking a significant lapse in data security.

The bot became inactive by the morning of June 12, but this does not indicate the end of the breach. The bot was likely used as a storefront for whoever gained access to the database, meaning the data could still be traded elsewhere.

India's digital public infrastructure, including the Aadhaar identity system, digital payments system United Payments Interface, and CoWIN, has led to the accumulation of vast amounts of public data. However, concerns have been raised regarding the lack of cybersecurity policies and data protection frameworks that keep pace with the rapid growth of digital infrastructure.

The health ministry denies claims of a CoWIN portal breach, stating that the accessed data belongs to a "threat actor database" and not the CoWIN app or database directly. Digital risk monitoring platform CloudSEK suggests that hackers may have acquired multiple credentials from health workers, providing limited access to records rather than the entire CoWIN database.