Leading cyber security firm says no online access to COWIN portal/backend data
Aditi Tandon
New Delhi, June 13
With the political slugfest raging on alleged data leak of Covid shot recipients registered on India’s online vaccine delivery platform, COWIN, a top cyber security firm on Tuesday ruled out breach of citizens’ privacy.
CloudSEK, a leading Singapore-based cyber security startup with most of its operations in India, on Tuesday published a report on the alleged Indian data leak saying, “CloudSEK Analysis concludes that threat actors do not have access to the entire Cowin portal nor the backend database. Based on matching fields from Telegram data and previously reported incidents affecting Healthworker of a region, we assume the information was scraped through these compromised credentials. The claims need to be verified individually.”
CloudSEK said its contextual AI digital risk platform XVigil discovered a threat actor advertising a Telegram bot that offered personally identifiable information (PII) data of Indian citizens who had allegedly registered vaccines from the Cowin portal.
In its analysis, the firm said the Covid data bot (which published alleged leaked information) was offered by a channel called hak4learn, which frequently shared hacking tutorials, resources and bots for individuals to access and buy.
“Initially, the bot was available for everyone to use, but it was later upgraded to be exclusive to subscribers. The upgraded version of the bot provided PII data, including Aadhaar card numbers, Pan card, Voter ID, gender, and the name of the vaccination centre, based on the phone number,” CloudSEK said.
It said the real source of the Telegram bot is unknown.
“It is important to note that the bot had Version 1 offered that only displayed personal information based on phone number. While the Version 2 claimed to be Truecaller bot that also contained personal information of the individuals,” the cyber security firm noted.
The bot is currently down and might come up later as mentioned by the admin of the channel.
Importantly, CloudSEK recalled that on March 13, 2022, a threat actor on a Russian cybercrime forum advertised for compromised access on the Cowin portal of Tamil Nadu region and claimed to have compromised the Cowin database.
“Upon analysis, we discovered the breach was that of a health worker and not really on the infrastructure. The content displayed on the screenshot matches with the Telegram bot mentioned in the media as follows: Name of individual, mobile number, identity proof, identification number, number of doses completed. Furthermore, there are numerous health care worker credentials accessible on the dark web for the Cowin portal. However, this issue primarily stems from the inadequate endpoint security measures implemented for health care workers, rather than any inherent weaknesses in Cowin’s infrastructure security,” it said as the Congress and TMC demanded answers from the government.
CloudSEK, a leading cyber security startup founded in 2016, combines the power of Cyber Intelligence, Brand Monitoring, Attack Surface Monitoring, Infrastructure Monitoring and Supply Chain Intelligence to give context to customers’ digital risks.
It offered the alleged COWIN data leak analysis on government request.
Indian Computer Emergency Response Team is also investigating the issue with preliminary reports ruling out breach of citizen privacy.
