India: Two brothers in Bihar stole CoWin data, misused mother's official ID to access info
A little less than 10 days after news reports pointed to a major data breach in the COVID-19 vaccination portal CoWIN, the Delhi Police Special Cell has arrested a man and apprehended his minor brother from India's eastern state of Bihar.
Police said the man (22) and his minor brother illegally accessed information on the portal, retrieved personal details of a few individuals and created a bot, which was uploaded on messaging app Telegram.
The man was arrested from the capital city of Patna. He has completed B.Tech from a Bihar institute and was unemployed. After conducting investigation, the authorities found his 17-year-old brother was also involved in the case and took him in custody.
Police said the duo did not sell the data to anyone but created the Telegram bot to merely "gain more followers". They used their mother's login credentials, who is an Auxiliary Nurse Midwife (ANM) in Patna, to access the data on CoWIN portal.
“The mother will also be questioned. She was not aware that her CoWIN ID had been compromised. While not much is known, we found that the sons gained access to the mother’s ID and took data of a few individuals from Bihar," a senior police officer from the Special Cell was quoted as saying by The Indian Express.
"They created a bot and circulated the information on their Telegram channel to gain more followers. At present, we haven’t found any other motive,” said a senior police officer from the Special Cell.
Both brothers were brought to Delhi and produced before courts. They are currently being questioned by Delhi Police and other investigation agencies.
Government's response to the allegations
Last week, reports claimed that there was a purported breach of data of beneficiaries registered on the government-run portal. However, the Union Health Ministry soon released a clarification saying such reports were without any basis, and the security systems had not been breached by any external attack.
“Co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on the Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access of data is provided,” read the statement.
The ministry also said that without a One-Time-Password (OTP), vaccinated beneficiaries’ data cannot be shared with any BOT.