Completed security measures and adequate safeguards for data privacy in CoWIN portal

The CoWIN site has sufficient security measures and adequate safeguards for data privacy, the government stated in the Lok Sabha on Friday. Despite being queried by Bharatiya Janata Party MP Hema Malini, Minister of State for Health and Family Welfare Satya Pal Singh Baghel did not confirm whether there was any infringement of data privacy on the CoWIN portal.

“There were media reports recently of an apparent breach of Co-WIN data of beneficiaries who have received COVID-19 vaccination in the country,” Baghel said in writing. However, he stated that action was taken quickly in this regard.

There were accusations of purported data leaks of personal information of people, including opposition leaders and bureaucrats, in June of this year. This was the second reported data leak from India’s COVID-19 vaccine tracking technology, the CoWIN portal. A similar breach was revealed in 2022. The administration disputed it at the time, claiming it was “safe and secure.”

Baghel stated in his written response that the portal has “complete security measures and adequate safeguards for data privacy with Web Application Firewall (WAF), Anti-DDoS, SSL/TLS (regular vulnerability assessment), Identity and Access Management.” He detailed the measures, saying that all Co-WIN APIs for both the government and the business sector were deactivated immediately, effectively limiting Co-WIN access.

The media response to the Co-WIN data breach was swift, reminding readers that the Co-WIN portal is totally secure, with proper safeguards for data privacy. A meeting was held with CERT-In (Indian Computer Emergency Response Team) to address CERTIn investigation needs and Co-WIN Platform security vulnerabilities. The event was reported to the National Cyber Crime Cell in a complaint. He also stated that additional precautions were made to safeguard the safety of data on the CoWIN platform. These included two-factor authentication tools (password and OTP), as well as user (service provider) login on Co-WIN. All user log trails are captured and securely kept in the Co-WIN database. Passwords for all Co-WIN services have been reset, according to the ministry.