CoWIN Data Leak: Two Bihar Brothers Apprehended For Allegedly Leaking Data From Portal On Telegram

The Delhi Police Special Cell has arrested a man from Bihar and apprehended his minor brother for allegedly leaking data from CoWIN, the government's web portal for Covid-19 vaccination registration.

According to the police, the two accessed information on the portal illegally, retrieved personal details of a few individuals, and uploaded a bot on Telegram.

Earlier this month, the Intelligence Fusion and Strategic Operations (IFSO) unit of the Special Cell lodged an FIR for the alleged data breach and analysed the Telegram channel where the data was being shared.

The police conducted several raids and arrested the main accused, a 22-year-old unemployed man who has finished his BTech from a Bihar institute, in Patna.

The investigation revealed that his minor brother, aged around 17, was also involved in the case and was apprehended from their house.

Delhi Police brought the two to the capital and produced them before the court. The police are questioning the brothers in connection with the data breach.

The two created the Telegram bot to merely "gain more followers," sources said, as reported by the Indian Express. The police confirmed that the two did not sell the data to anyone.

The two brothers accessed the data on CoWIN by using their mother's login ID and credentials. Their mother is an auxiliary nurse midwife (ANM) in Patna.

“The mother will also be questioned. She was not aware that her CoWIN ID had been compromised,” said a senior police officer from the Special Cell.

According to experts, ANM workers can only access data for the people they vaccinate. The data is limited to phone numbers, dosage information, and district centre information.

Reports last week revealed a purported breach of data of beneficiaries registered on the CoWIN platform. A Telegram bot accessed the data, which included the gender, date of birth, Aadhaar details, address, and centre for vaccination of beneficiaries. On 12 June, the Ministry of Health and Family Welfare issued a press release stating that the Telegram bot was not using CoWIN's application programming interface.

The Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, reviewed the alleged breach and confirmed that the CoWIN portal was not directly breached.

The Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency, conducted the review and found that the bot was using previously breached databases.

Senior police officers confirmed that the arrested duo were not involved in the major data breach that resulted in the data leak of thousands of people from across states. The officers stated that the accused only had access to the data of a few individuals.

With the help of the Telegram platform and CERT-In, the investigation was conducted. A source stated that the matter is at a preliminary stage and not much can be revealed. The arrested men were not selling the data to anyone in particular. They only had access to a certain ID and data, which they used to create software (bot) and share on social media.