BL Explainer. Is the Co-WIN “breach” a cause for concern? bl-premium-article-image

PT Jyothi Datta Updated - June 13, 2023 at 06:38 PM.

It presents a case for digital hygiene and an accountable, data privacy framework  

What is Co-WIN and what kind of data is captured on it?

The Co-Win portal shot to prominence in India during the pandemic, when Covid-19 vaccines were ready to be rolled out. Over 100 crore citizens have used Co-Win (the Covid Vaccine Intelligence Network) to register for their Covid-19 vaccinations.

From a user point of view, the data capture would have been any of the 10 photo identity cards that were recognised by the site and shared by the individual. This included the Aadhaar card, driving licence, PAN card, passport, pension passbook, NPR smart card, Voter ID, Unique Disability Identification Card, ration card and student photo ID cards. And this would have been linked back to individual phone numbers.

The portal provided a one-stop site to check vaccine availability, supplies, the type of vaccine available, etc., giving the apex Health Ministry a bird’s eye view on vaccine inventory, the age profiles of people (and children) getting vaccinated, the type of vaccine available, adverse events linked to the vaccines etc.

What is the alleged data leak from Co-WIN about?

The week started with reports of a likely breach of the Co-WIN portal, exposing the data of people registered on the site. Personal data, including the date of birth, passport details, etc., of citizens were accessible, by providing a registered mobile number. Details of politicians and bureaucrats, including those involved with health and the Co-WIN portal, were accessed, by those reporting the data leak.

Multiple arms of the Government including the Health Ministry clarified Co-WIN was safe and safeguards were in place to protect data privacy, and that the site had not been “directly” breached. Initial reviews whittled it down to a bot (robot) on the social messaging platform Telegram sharing personal information, that had been gleaned from publicly available data or previously stolen information.

This is where it gets tricky. Data privacy activists point to the lack of clarity in timelines (if there was an earlier breach) and have sought details, including how Co-WIN data was available elsewhere in the first place.

Also read: CoWIN data breach: Activists ask for more transparency

What are the security features in Co-WIN which protect user data?

The Centre maintains there are safeguards in place, including the OTP (one time password) protection to ensure user data is not wrongfully accessed.

So while answers are awaited on whether there had been a previous breach, etc., industry players working with digitising health data say, provisions are in place to ensure that a possible breach at one site would not have a run-on effect on other services like Ayushman Bharat, digital health IDs and lockers, and so on, as they are OTP-protected, seek consent, etc.

What is the government’s response to the data leak?

The Centre has maintained that there has not been a “direct” breach, but it has instituted a review by CERT-In (the Computer Emergency Response Team). The errant bot stands disabled. But given the increasing number of online attacks on healthcare institutions (hospitals, pharma companies, etc), clearly multiple arms of the Government will be reviewing the incident.

Also read: Malware attack at AIIMS hospital neutralised

What does it mean to users? Is there anything they can do to protect themselves while entering private data on public websites?

At a basic level, service providers handling digital data urge users to exercise “digital hygiene” — don’t share passwords, OTPs, etc; don’t use random computers to share critical information, log out from websites when finished.

But at a policy level, internet freedom forums campaign for a data privacy framework that protects data and allows users to delete their information once the original need is fulfilled. The increase in tele-marketing calls are evidence that data is a leaky bucket and data shared with one institution, gets illegitimately used by a random service provider that the individual may have never approached in her life.

A critical question being asked now is, who will be held accountable for the data breach? After all, citizens shared their information on Co-WIN in the belief it would be protected.

Published on June 13, 2023 08:31

This is a Premium article available exclusively to our subscribers.

Subscribe now to and get well-researched and unbiased insights on the Stock market, Economy, Commodities and more...

You have reached your free article limit.

Subscribe now to and get well-researched and unbiased insights on the Stock market, Economy, Commodities and more...

You have reached your free article limit.
Subscribe now to and get well-researched and unbiased insights on the Stock market, Economy, Commodities and more...

TheHindu Businessline operates by its editorial values to provide you quality journalism.

This is your last free article.