Data of 150 million vaccinated Indian’s up for sale; Health Ministry denies data breach

Cowin portal data
Cowin portal data

Advertisement

For getting a Covid-19 vaccine shot, you need to first register yourself in the CoWIN portal. This step is mandatory and you need to enter your name, phone number, and photo id proof. The CoWIN portal also asks for a pin code to guide you to the nearest vaccine center.

Now a group of hackers is selling 150 million Indian citizen’s data who got vaccinated. The hacked data include Name, Mobile Number, Aadhaar ID, state and GPS location. They are selling 150 million records for $800. The listing also makes it clear that they are reselling the data. It means someone else hacked and acquired the data.

There’s one thing that also caught my attention. Hackers claim that the data include GPS pin-point location while the app or CoWIN portal doesn’t collect this data. You have to manually enter the pin code to access the list of available Covid vaccine centers around your area.

After this news broke, the health ministry and security researchers have ruled out any possibility of such a hack. RS Sharma, who heads the CoWIN portal also gave a media statement confirming the data is safe.

“No Co-WIN data is shared with any entity outside the Co-WIN environment. The data is claimed as having been leaked such as geo-location of beneficiaries is not even collected at Co-WIN. The news prima facie appears to be fake,” said RS Sharma. He further confirmed that the Computer Emergency Response Team of MeitY has already asked to investigate the issue as a precautionary measure.

He further stated that many users who claimed to be hackers usually post fake data leaks to scam people. They take Bitcoin payment and disappear. He also gave an example of how the Leak Market listing has listed some fake data breaches on the sidebar. For example, the market also lists leak documents of SBI YONO but the platform was actually never hacked.

Check the sidebar in the above snapshot. This site even lists MobiKwik Leaked Data but hackers, who actually hacked the MobiKwik data, deleted it. Similarly, I never heard about Tata Communications and Upstox leaked. So, this listing is most probably fake one.

Advertisement