Skip to content

Understanding the developments in CoWIN portal Data leak Saga: From reports of the breach to the Government’s response

Article by Tsaaro

7 min read

Understanding the developments in CoWIN portal Data leak Saga: From reports of the breach to the Government’s response

Introduction

On June 12th, Several media reports claimed that the CoWIN portal had been breached, and data of all the people who got vaccinated and registered on this portal are available to the public. Media Reports stated that data was accessible via a bot on Telegram.

Later, on the same day, both the health and Information Technology (IT) ministries refuted the claims made in these reports unequivocally. They have clarified their position and found the source of information available on the bot to be already accessible publicly. This clarification is based on an internal exercise conducted by the national health ministry and an audit conducted by the Computer emergency response team, i.e., CERT-In.

Timeline of Events

The issue came into the limelight with opposition MPs tweeting screenshots of information about vaccinated people being available via a Telegram Bot. There were claims of the CoWIN portal being breached and all the data being violated.

The CERT-In responded to these claims instantly and will be submitting a report swiftly per the statements of Minister of State for IT Mr Rajeev Chandrasekhar. The minister also clarified that there had been no breach of the CoWIN portal’s data. Secondly, he stated that the source of the data available was a Threat actor database. IBM defines a threat actor database as a database used by malicious actors to cause damage to digital assets such as a device or a system(s). These threat actors target a system’s vulnerabilities and perform various attacks, from phishing to malware. Thirdly, he stated that the information was already in the public domain and was part of previously stolen/breached data. Thus, the information made available by the Telegram bot is not from CoWIN Portal.

The CERT-In, by its initial report, has found that the back end of the Telegram bot could not access the personal information of the CoWIN portal. This Is because the data is accessible only by OTP, i.e. One-time passwords. It stated that all three modes of accessing Personal Identifiable Information (PII) of the CoWIN Portal, i.e., authorised user access post authentication, beneficiary board access and third-party access, were protected by an additional requirement of OTPs.

Privacy Paradigm In India

The incident mentioned above reflects how important the employment of Data privacy practices is in the modern age. Digitalisation has entered all sectors in one form or another, whether government or private structures, data-driven functioning is taken across the board.

Courts and the Constitution

The privacy rights regime in India was established and spearheaded by the Courts. Initially, the apex court was averse to the idea of the Right to privacy in India being a Fundamental right. The Supreme Court of India, in the 1962 Judgement of Kharak Singh vs. State of Uttar Pradesh ((1964) 1 SCR 332), ruled that there is no fundamental right to privacy. The Supreme Court of India later overturned the 1962 ruling in its 2017 Judgement in Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. Judgement (2017) 10 SCC 1. The Puttaswamy judgement recognised the Fundamental Right to privacy per Article 21 of the Indian Constitution.

Although the Right to privacy has been recognised in the Constitutional Scheme, its implementation can only be enforced if the Government and the private sector conform to Data privacy practices. In The CoWIN incident, by preliminary reports, it is evident that prima facie, employing a One-time password authentication mechanism was key behind the Portal data not being breached.

Practices for Ensuring Data Privacy & Protection

There are Similar data privacy practices apart from the One-time password authentication mechanism. These can be used by the Government and private organisations managing large volumes of data to protect the Right to privacy of their clients. These include:

Formulation of a comprehensive framework of laws and regulations. These laws and regulations will ensure that there are guidelines provided regarding the storage, collection, handling and processing of data. Published in 2022, The Draft Digital Personal Data Protection Bill intends to establish guidelines concerning the subject mentioned above, such as Data Processing and storage. It also aims to establish the responsibility and liability of Data Fiduciaries to Data Principals.

Also read Concerns of Consent under the DPDPB: Compliance Requirements.

Privacy by Design Principles. This involves ensuring that the Privacy and data protection Principles are embedded in the design and foundation of the development of the digital system. The system is oriented and organised to promote privacy and reduce data protection vulnerabilities. These principles include but are not limited to anonymisation or pseudonymisation of data, which is personally identifiable information, data minimisation techniques, and enforcing privacy control measures.

Training Employees. This will ensure that the organisation incorporates and encourages a data privacy and protection culture. It will also ensure that the employees are well equipped to oversee situations where Data privacy may be compromised and implement data privacy and protection practices, which will minimise the risk of any data breach or reduce the chances of success of a Cyber-attack.

Employing strong Data Protection Measures. Robust Data protection measures are key to safeguarding the confidentiality of personal or critical data. This can be done by employing strong security protocols such as using encryption mechanisms to reduce data vulnerabilities while it is in storage or transit and by employing secure access controls. Privacy impact assessments can aid in being aware of the vulnerabilities of the system and consequently remove them.

Future Privacy Developments in Indian Jurisdiction

Apart from the Draft Digital Personal Data Protection Bill, 2022 which is expected to be introduced in Parliament in the Monsoon Session., A Digital India Act is also proposed, which is expected to replace the IT Act 2000 so as to cater to the demands of the modern digital age. Also, Per the IT Minister, a national data governance policy has already been finalised and is expected to be officially notified soon. The draft National Data Governance Policy Framework was released in 2022. The minister stated that this policy would deal with creating one common framework of security standards, data storage and data access across the Government.

Also read The Digital India Act: An Analysis.

Conclusion

Though as per preliminary reports, it can be inferred that the Government was able to avoid a potential data breach due to employing data authentication protocols like the One-Time password mechanism. There still persists a risk of violation of an Individual’s Right to privacy and the absence of a mechanism in lack of any comprehensive law or regulation in place. Enactment of legislation like the Digital Personal Data Protection Bill and the Digital India Act will not ensure that a legal mechanism Is in place for individuals to claim their grievances and keep Data fiduciaries in check without moving to Courts. It will also ensure the modernisation of laws and regulations that is necessary to cater to the demands of the modern world well-paced into a digital, globalised system now.

Tsaaro helps organisations in ensuring compliance with the privacy laws by equipping professionals with the skills required. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Stay updated with all the recent developments in the global as well as Indian Privacy Regulation paradigm, contact us at info@tsaaro.com.

266 thoughts on “Understanding the developments in CoWIN portal Data leak Saga: From reports of the breach to the Government’s response”

  1. Hi! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my website to rank for some targeted keywords but I’m not seeing very
    good success. If you know of any please share.
    Kudos! You can read similar art here: Eco wool

  2. sugar defender reviews Incorporating Sugar Defender into my daily program general well-being.
    As a person who focuses on healthy and balanced
    consuming, I appreciate the extra protection this supplement supplies.
    Considering that starting to take it, I have actually seen a significant
    enhancement in my energy levels and a considerable decrease in my
    wish for unhealthy snacks such a such an extensive impact on my life.

  3. Right here is the right site for anybody who wants to understand this topic. You understand a whole lot its almost hard to argue with you (not that I actually would want to…HaHa). You definitely put a fresh spin on a topic that has been discussed for decades. Wonderful stuff, just excellent.

  4. sugar defender reviews Incorporating Sugar Defender
    into my everyday routine total well-being. As a person who prioritizes healthy and balanced consuming, I appreciate the additional security this supplement gives.
    Because beginning to take it, I’ve discovered a marked
    renovation in my energy levels and a significant reduction in my need for undesirable treats
    such a such a profound influence on my life.

  5. *There are some interesting points in time in this article but I don’t know if I see all of them center to heart. There is some validity but I will take hold opinion until I look into it further. Good article , thanks and we want more! Added to FeedBurner as well

  6. I happen to be writing to make you know of the great experience my friend’s daughter found using the blog. She came to understand a wide variety of details, not to mention how it is like to possess an incredible teaching character to get other folks just have an understanding of selected specialized subject areas. You undoubtedly exceeded visitors’ expectations. I appreciate you for imparting these important, safe, informative and in addition fun tips on your topic to Sandra.

  7. I discovered your blog web site on google and examine just a few of your early posts. Continue to maintain up the superb operate. I simply extra up your RSS feed to my MSN News Reader. Looking for forward to reading more from you later on!…

  8. It’s rare to get an expert in whom you may have some confidence. In the world of today, nobody actually cares about showing others the way in this matter. How lucky I am to have now found a wonderful web site as this. It is really people like you who make a genuine difference nowadays through the ideas they discuss.

  9. Aw, this became an exceptionally nice post. In idea I have to set up writing like this additionally – taking time and actual effort to make a good article… but so what can I say… I procrastinate alot and also by no means manage to go accomplished.

  10. I have seen a lot of useful points on your site about pc’s. However, I’ve the thoughts and opinions that notebooks are still not nearly powerful sufficiently to be a sensible choice if you frequently do jobs that require lots of power, for example video editing and enhancing. But for world wide web surfing, statement processing, and a lot other prevalent computer work they are just great, provided you do not mind the little screen size. Many thanks sharing your ideas.

  11. I don’t know precisely why everyone desire to occur the Bipolar band wagon it isn’t a fun trip. “a little bit bipolar” i question that . seem folks go through issues in their lifestyles some people far more next others many people are just much more delicate remorseful merely my estimation.

  12. Hi, I think your site might be having browser compatibility issues. When I look at your website in Safari, it looks fine but when opening in Internet Explorer, it has some overlapping. I just wanted to give you a quick heads up! Other then that, fantastic blog!

  13. This posting is incredibly nicely written, and it in addition consists of numerous beneficial information. I appreciated you are specialist manner of creating this blog post. Thanks, you have created it simple and easy for me to comprehend.

  14. Youre so cool! I dont suppose Ive read anything like that just before. So nice to seek out somebody by incorporating original applying for grants this subject. realy we appreciate you starting this up. this fabulous website can be something that is required on the net, someone after some originality. helpful purpose of bringing interesting things to the web!

  15. I am also writing to let you be aware of what a cool discovery my wife’s daughter went through studying your web page. She realized several things, which include what it’s like to possess an amazing giving spirit to get the others without problems grasp chosen complex subject areas. You undoubtedly exceeded visitors’ expected results. Thank you for coming up with those effective, trustworthy, informative and as well as cool thoughts on that topic to Emily.

  16. This design is spectacular! You definitely know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Great job. I really enjoyed what you had to say, and more than that, how you presented it. Too cool!

  17. He played his first official match for Milan and managed to score his first purpose, a free kick, to win the first leg of Milan’s Europa League qualification match against CS U Craiova on 27 July.

Leave a Reply

Your email address will not be published. Required fields are marked *

Tsaaro Consulting

INTRODUCTION: In a recent ruling, the Competition Commission of India (CCI) has slapped a heavy fine of 213.14 crore on …

Tsaaro Consulting

In today’s dynamic and fast-paced corporate environment businesses are increasingly adopting staff augmentation as a flexible workforce solution to address …

Tsaaro Consulting

In today’s fast-paced business environment, organisations are constantly seeking innovative methods to adapt and scale efficiently. Staff Augmentation Consulting services, …

Tsaaro Consulting

INTRODUCTION: In today’s interconnected world, businesses operate across borders, serving customers globally. This inevitably leads to the transfer of personal …

Krishna

INTRODUCTION: The Personal Data Protection Law No. 6698, known as Kişisel Verileri Koruma Kanunu (KVKK), is Türkiye’s landmark data protection …

Recent Comments

SHARE THIS POST

Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them

Call Our Experts:

+91 95577 22103

small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png
small_c_popup.png

We’d love to help your organization achieve your Data Protection goals!

Schedule a complimentary consultation with our Team of Experts.