Rumored breach of India’s vaccination data portal threatens to undermine DPI influence

Reports are swirling that India’s public vaccination portal, CoWIN, has suffered a breach of huge volumes of personal information, including Aadhaar numbers.

The government denies that a breach has occurred, calling the reports “without any basis and mischievous in nature.”

“Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal,” an official statement from the Ministry of Health & Family Welfare (MoHFW) says.

The Indian Computer Emergency Response Team (CERT-In) has investigated, and its initial report says the “backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database.”

Reports over the weekend, however, such as one from The Quint, suggested that a bot called “Truecaller” exposed personal data from people vaccinated in India from June 1 to June 12. The data allegedly included Aadhaar numbers, passport numbers, voter ID numbers, insurance policy and family information and date of birth.

The publication quotes a digital identity awareness advocate who notes that the CoWIN database holds records on many millions of people, including minors.

Union Minister of State for Entrepreneurship, Skill Development, Electronics & Technology  Rajeev Chandrasekhar said in a tweet that the data “seems” to have come from a previous breach. Biometric data is not included in the data, whatever its source.

Full speed ahead on DPI push

The rumored breach comes just as India is seeking to extend its global leadership in development of digital public infrastructure. The Digital India initiative’s Global DPI Summit is on now, with sessions on ‘digital identities for empowering people’ and other elements of the ‘India Stack,’ such as payments.

The digital identity session covered the use of biometric face authentication within the Aadhaar ecosystem to make various processes and transactions more convenient.

The Economist compares India’s DPI push to China’s Belt and Road Initiative, and considers the possibility that it could provide an alternative to digital infrastructure like the payments rails offered by businesses based in the West. Outreach to countries with developing economies has come up repeatedly in recent years, such as at ID4Africa 2023.

The article also notes challenges India has faced realizing the benefits of Aadhaar in areas with low connectivity, or for people whose fingerprints have been worn down.

Article Topics

Aadhaar  |  data protection  |  digital ID  |  digital public infrastructure  |  health passes  |  India  |  India Stack