Covid vaccination data of millions of Indians ‘leaked’ online; Indian govt denies

iNDICA NEWS BUREAU–

Cyber-criminals have allegedly stolen data of thousands of people in India, including health workers, from a government server (that has even been indexed in Google Search), which includes name, mobile number, address and Covid test results.

The data leak allegedly happened on the CoWin portal, which is used for vaccination.

The data of over 20,000 Indians are available on the Raid Forums website on the Dark Web, and the hacker claims that they are directly coming from a government CDN (content delivery network) server.

The same documents are also available freely on Google Search as “List of Beneficiaries Enrolled for Covid Vaccine” with keywords like RT-PCR results.

“PII including Name, MOB, PAN, Address etc of #Covid19 #RTPCR results & #Cowin data getting public through a Govt CDN. #Google indexed almost 9 Lac public/private #GovtDocuments in search engines. Patient’s data is now listed on #DarkWeb. Need fast deindex,” cyber security researcher Rajshekhar Rajaharia Rajaharia said in a tweet.

The most pressing concern is that the data of thousands of health workers (available in PDF files) have been exposed online in Google Search that contains PAN numbers, Aadhaar and other personal details like mobile numbers, address, age, gender etc.

“I am not reporting any #Vulnerability here. I am asking people to #Beware for any Fraud #calls/#offers/#treatment etc related to pre/post #Covid19. The data is already up for sale on a #DarkWeb Forum,” Rajaharia said in another tweet.

Last year, the Health Ministry and security researchers had denied the breach of Covid-19 vaccination data of 150 million Indians, after news of the hack spread online.

Meanwhile, the Indian government on Monday said that it does not appear that the CoWIN app or its database has been directly breached as alleged in some reports after a Covid data leak surfaced on social media app Telegram.

Union Minister of State for Electronics and IT, Rajeev Chandrasekhar said that with reference to some alleged CoWIN data breaches reported on social media, the Indian Computer Emergency Response Team (CERT-In) immediately responded to the threat and reviewed it.

“A Telegram bot was throwing up CoWIN app details upon entry of phone numbers. The data being accessed by bot from a threat actor database, which seems to have been populated with previously breached/stolen data stolen from the past,” the minister said in a tweet.

He said that it does not appear that the CoWIN app or database has been directly breached.

Related posts