The Health Ministry and security researchers have denied the breach of COVID-19 vaccination data of 150 million Indians, after news of the hack spread on the internet.
On June 10, Data Leak Market was selling a database of COVID-19 vaccination in India for $800. The date included vaccination data of 150 million people including name, Aadhaar number, and location. “We are not the original leaker of data. We are the reseller,” the website read.
The data leak allegedly happened on the CoWin portal, which is used by users and government for vaccination.
However, the health ministry and security researchers have ruled out the possibility of such a hack.
“Our attention has been drawn towards the news circulating on social media about the alleged hacking of Co-WIN system. In this connection we wish to state that Co-WIN stores all the vaccination data in a safe and secure digital environment. No Co-WIN data is shared with any entity outside the Co-WIN environment. The data being claimed as having been leaked such as geo-location of beneficiaries, is not even collected at Co-WIN. The news prima facie appears to be fake. However, we have asked the Computer Emergency Response Team of MeitY to investigate the issue,” RS Sharma, who heads the Co-WIN portal, said in a statement.
Rajshekhar Rajaharia, an independent security researcher, also said that Co-WIN portal was not hacked. “Some fake Dark Leak Market is claiming to sell data of 150 Million COVID-19 Vaccinated People of India. It’s completely fake and a Bitcoin scam.”
He further explained that the website has been posting leaked documents, which are fake. The reportedly leaked documents the site posted include SBI YONO, which was never hacked, he pointed out. It was also selling Mobikwik user data, which Rajaharia said, are not available on the dark web.
“This market is frequently posting fake data leaks and scamming people. They are just taking Bitcoin for nothing. Data Sample also not available anywhere,” he added.
Later, the French security researcher Bapiste Robert who had tweeted the data leak tweet, deleted it.
However, this has not gone down well with digital rights activists, who had raised concerns. Apar Gupta, who runs Internet Freedom Foundation, a digital rights organisation, said in a tweet that it is important for Indian Computer Emergency Response Team to step in.
“This is critical data leak. It must be fairly and independently verified, the issue causing it and accountability must be fixed. We must resist the temptation to issue a blanket denial. Investigate, verify, please!,” he tweeted.
Srinivas Kodali, a digital rights researcher, said in a tweet, “How does one establish if there was a cyber security breach? Cyber forensics. Who is responsible for this? What if it is a fake alert. Still one has to investigate it to confirm it.”