The Indian government on Monday responded to reports suggesting leak of data from the CoWin portal of the Health Ministry, assuring the public that the CoWin app remains secure. But what really happened?
Expert Analysis
Cybersecurity company CloudSEK said it discovered a threat actor advertising a Telegram bot that purportedly offered personally identifiable information (PII) data of Indian citizens who had allegedly registered for vaccines through the CoWin Portal.
CloudSEK's analysis said that the threat actors do not have access to the entire CoWin portal or the backend database. Instead, they believe that the information was likely scraped using compromised credentials, based on matching fields from Telegram data and previously reported incidents affecting healthcare workers in a specific region. However, individual verification of the claims is still required.
CloudSEK's analysis said that the threat actors do not have access to the entire CoWin portal or the backend database
Further analysis by the company revealed that on 13 March 2022, a threat actor on a Russian cybercrime forum advertised compromised access to the Cowin Portal, specifically targeting the Tamil Nadu region. However, upon analysis, it was discovered that the breach was related to a health worker rather than a compromise of the infrastructure itself. The displayed content on the Telegram bot's screenshots matched the information mentioned in the media, including the name of the individual, mobile number, identity proof, identification number, and the number of vaccine doses completed.
Moreover, CloudSEK found numerous healthcare worker credentials for the CoWin portal accessible on the dark web. However, they concluded that the issue primarily stemmed from inadequate endpoint security measures implemented for healthcare workers, rather than inherent weaknesses in the CoWin infrastructure's security. An exclusive humint analysis also revealed that the data belonged to the Tamil Nadu region, and the threat actor claimed access to the vaccination centre of that particular region at the time.
[..] numerous healthcare worker credentials for the CoWin portal accessible on the dark web.
"A Telegram Bot was throwing up Cowin app details upon entry of phone numbers," tweeted Rajeev Chandrasekhar, Union Minister of State for Electronics & Technology.
The Telegram bot, known as the Covid data bot, was offered by a channel called "hak4learn," which frequently shares hacking tutorials, resources and bots for users to access and purchase. Initially available to everyone, the bot was later upgraded to be exclusive to subscribers. The upgraded version provided PII data, including Aadhaar card numbers, PAN card details, Voter IDs, gender and the name of the vaccination center, based on the entered phone number.
While the real source of the Telegram bot remains unknown, it is important to note that it had two versions. Version 1 displayed personal information based on phone numbers, while Version 2 claimed to be a Truecaller bot that contained additional personal information about individuals.
“We know that some breach data in circulation often consists of personally identifiable information (or PII) data pieced together from various breaches that is not attributable to a single source. However, what makes the information being shared by the Telegram bot different is the fact that just by sharing a mobile number or Aadhaar number, the bot was able to return both PII and what we consider to be confidential medical information (vaccine administration details), which isn’t likely to be available to just any third party," explained Satnam Narang, Senior Staff Research Engineer, Tenable.
"So how likely is it that these two pieces of disparate information (PII and confidential medical information) have been put together from databases other than CoWIN? Hopefully, the Indian Computer Emergency Response Team (CERT-In) can shed more light on the origin of this leaked data following its investigation, though there are reports the bot will return soon," Narang added.
Additionally, based on an Instagram post made in 2022, an account associated with the threat actor offered various scripts that exploited UPI payment gateways, including SBI, PayTM, and Google Pay.
According to ‘IBM Cost of Data Breach Report 2022’, the average cost of data breach in India has increased by 25 per cent to Rs 17.6 crore from 14 crore in 2020. The report further elucidated that the country’s average per record cost of a data breach in 2022 was Rs 6,100. This is a 3.3 per cent increase from Rs 5,900 in 2021. Average records breached in 2022 were 29,500.
Government Reaction
The government has dismissed the reports of a CoWin data breach as "mischievous" and "without any basis." The matter has reportedly been reviewed by CERT-In, the country's nodal cybersecurity agency, and it has been reaffirmed that the data within the CoWin portal remains completely secure. The Health Ministry emphasised that vaccinated beneficiaries' data cannot be shared with any bot without the One-Time Password (OTP) verification.
While the government has assured the public about the data integrity of the CoWin portal, an investigation into the matter is currently underway to ascertain the nature and extent of any potential breach.