Evidence of a previous Covid vaccination data leak puts the Narendra Modi administration under pressure.
The Narendra Modi administration was accused on Monday of being either unaware of or failing to publicly disclose a security breach of its Covid-19 immunisation database, which has previously allowed for the theft of patient data and its subsequent publication on a public messaging service.
At a time when the government is advising individuals and healthcare institutions to digitise medical information, the alleged security breach involving data that an official earlier classified as "completely safe and secure" has revived concerns about digital vulnerability, according to security experts.
The Narendra Modi administration was accused on Monday of being either unaware of or failing to publicly disclose a security breach of its Covid-19 immunisation database, which has previously allowed for the theft of patient data and its subsequent publication on a public messaging service.
At a time when the government is advising individuals and healthcare institutions to digitise medical information, the alleged security breach involving data that an official earlier classified as "completely safe and secure" has revived concerns about digital vulnerability, according to security experts.
The Fourth, a Malayalam news outlet, revealed on Sunday that the names, mobile phone numbers, and years of birth of Covid-19 vaccine recipients uploaded to the government's CoWin database were also accessible through a bot, or software programme, on Telegram, a popular messaging app.
It is unclear who created the bot, when, or for what reason.
According to Chandrasekhar, the data that the bot is accessing is from a threat actor database that "appears to (have) been loaded (with) previously stolen material taken in the past." The CoWin software or database "does not appear to have been directly compromised."
At 5.50 p.m., Chandrasekhar updated his earlier tweet to clarify that it had included "previously accessed or stolen data from databases other than CoWin."
"How secure is our digital infrastructure?" is a question that this extremely dangerous incident poses. remarked Supreme Court counsel and specialist in cybersecurity law Pavan Duggal. We need to have conducted a criminal investigation if data was stolen.
The previously stolen data stated by Chandrasekhar were not mentioned in the health ministry's media release, which claimed Cowin was "absolutely safe with necessary safeguards for data privacy." The ministry added that it had started an assessment of internal security procedures surrounding CoWin.
The ministry also noted that according to CERT-original In's report, "the backend database for the Telegram bot was not directly accessing" the CoWin database and that data on vaccine recipients could not be shared with any bots without an OTP (one-time password).
The additional databases from which CoWin information may have been stolen earlier have not been identified by the health ministry or the information technology ministry.
Many in the public have started to ask questions about the stolen data, including when, how, and whether or not the government reported it. A Twitter user asked, "Is there any FIR (first information report) or public publication for this previously stolen data?"
Another Twitter user questioned how this information could be in any database "other than CoWin." The bot not only provided Aadhaar or passport information, but it also displayed the location of the immunisation. The user questioned, "What other database has it and why?"
On Monday, a few Twitter users claimed that the bot had been turned off.
Digital platforms with open interfaces cannot be completely secure, according to Duggal and other specialists in digital security. If data was taken, Duggal added, "we need a thorough investigation to find out when and how it was done. "We should treat cybersecurity with more seriousness than we already do."
At the All India Institute of Medical Sciences in New Delhi, computers were broken into and rendered unusable by hackers the previous year, potentially exposing patient data and impairing patient-accessible internet services.
On Monday, a few Twitter users claimed that the bot had been turned off.
Digital platforms with open interfaces cannot be completely secure, according to Duggal and other specialists in digital security. If data was taken, Duggal added, "we need a thorough investigation to find out when and how it was done. "We should treat cybersecurity with more seriousness than we already do."
At the All India Institute of Medical Sciences in New Delhi, computers were broken into and rendered unusable by hackers the previous year, potentially exposing patient data and impairing patient-accessible internet services.