Govt refutes co-win data breach report, calls it 'mischievous'
ADVERTISEMENT
Refuting a potential data breach of covid-19 vaccination beneficiaries on Telegram, the central government on Monday said that the co-win portal of the health ministry is completely safe with safeguards for data privacy. The centre also clarified that reports regarding a potential co-win portal data breach are completely baseless and "mischievous" in nature. The government’s statement comes hours after some reports claimed a major data breach of beneficiaries who have received covid-19 vaccination on Telegram, an online messaging platform. The government has asked CERT-In, which is the national nodal agency for cybersecurity incidents, to look into the issue and submit a report.
"It is clarified that all such reports are without any basis and mischievous. The co-WIN portal of the Health Ministry is completely safe with adequate safeguards for data privacy. Furthermore, security measures are in place on the Co-WIN portal, with Web Application Firewall, Anti-DDoS, SSL/TLS, regular vulnerability assessment, Identity & Access Management etc. Only OTP authentication-based access to data is provided. All steps have been taken and are being taken to ensure the security of the data in the CoWIN portal," the union health ministry said in a statement.
August 2025
As India continues to be the world’s fastest-growing major economy, Fortune India presents its special issue on the nation’s Top 100 Billionaires. Curated in partnership with Waterfield Advisors, this year’s list reflects a slight decline in the number of dollar billionaires—from 185 to 182—even as the entry threshold for the Top 100 rose to ₹24,283 crore, up from ₹22,739 crore last year. From stalwarts like Mukesh Ambani, Gautam Adani, and the Mistry family, who continue to lead the list, to major gainers such as Sunil Mittal and Kumar Mangalam Birla, the issue goes beyond the numbers to explore the resilience, ambition, and strategic foresight that define India’s wealth creators. Read their compelling stories in the latest issue of Fortune India. On stands now.
According to reports, sensitive information such as a person’s contact number, gender, ID card and date of birth, which could impact hundreds of individuals including children, has been leaked on Telegram and can be retrieved via a Telegram bot by entering the person’s name, phone number or Aadhaar number. However, the government said that without the OTP of the vaccinated beneficiaries, data cannot be shared with any BOT, and there is no provision to capture the address of the beneficiary. The government said that only the year of birth (YOB) is captured for adult vaccination.
"The development team of COWIN has confirmed that there are no public APIs where data can be pulled without an OTP. In addition to the above, there are some APIs which have been shared with third parties such as ICMR for sharing data. It is reported that one such API has a feature of sharing the data by calling using just a mobile number of Aadhaar. However, even this API is very specific and the requests are only accepted from a trusted API which has been white-listed by the Co-WIN application," the health ministry said.
"Union Health Ministry has requested the Indian Computer Emergency Response Team (CERT-In) to look into this issue and submit a report. In addition, an internal exercise has been initiated to review the existing security measures of CoWIN. CERT-In in its initial report has pointed out that the backend database for the Telegram bot was not directly accessing the APIs of the CoWIN database," the ministry added.
Fortune India is now on WhatsApp! Get the latest updates from the world of business and economy delivered straight to your phone. Subscribe now.