The Indian health ministry has denied reports of a major leak of personal data from its Covid vaccination database.
In a statement it said “all such reports are without any basis and mischievous in nature”, but it has ordered an official investigation into the matter.
The health ministry’s CoWin database contains the personal details of millions of people.
There does, however, appear to be some disagreement within the Indian government over the alleged data breach.
The Minister of Electronics and Technology, Rajeev Chandrasekhar, released a statement via Twitter saying an initial investigation had already indicated that there had been a leak of CoWin data.
He said that a bot, accessible via the Telegram messaging service was “throwing up CoWin app details upon entry of phone numbers”.
Mr Chandrasekhar said initial investigations by the Indian Computer Emergency Response Team (IndianCert) had found that the data of millions of Indians that had been “previously breached or stolen” from the Covid vaccine database, had been accessible.
Has there been a leak?
A local Indian media outlet first reported on the alleged leak in a YouTube video showing how a Telegram bot was revealing up information on well-known politicians in the southern state of Kerala.
The Malayalam media outlet called ‘The Fourth’ showed how it was possible to obtain personal data such as a date of birth, the identity document used for registering a Covid vaccination, the location of where the first dose was received, the gender and the phone number of an individual.
Other news outlets subsequently checked the bot and verified that the personal details of prominent individuals they obtained were indeed accurate.
It is no longer possible to access this bot.
A Telegram spokesperson told the BBC that such bots breach the platform’s terms of service.
“Telegram’s moderators routinely remove private data published without consent – as was the case for this bot.”
Srikanth Lakshman, a digital identity expert who accessed the bot before it became inactive, said that information relating to both minors and adults had been available.
“Only the CoWin database is supposed to have this kind of detail” he told the BBC.
Several cyber security experts have express concerns after the incident was reported and pointed out that no security alert was issued by India’s Computer Emergency Response Team.
Has this happened before?
In June 2021, there were claims that the CoWin portal had been hacked resulting in the sale of data relating to 150 million Indians. The Indian government denied that this had happened.
Then in January last year, when similar reports of a data breach emerged, the chief of the National Health Authority, Ram Sewak Sharma, responded saying the database was “safe and secure”.