CoWin portal data leak feeds risk of scams and extortion calls: Experts

Information like government ID numbers such as Aadhaar, passports, or PAN numbers become persuasive records, as they cannot be changed or erased for a particular individual

The alleged leak of private data of Indian Covid-19 vaccine takers from different age groups and demographics registered on the CoWin portal may create a perfect recipe for cybercrime such as identity thefts, phishing attacks, scams and extortion calls, experts warn.

Though the government has denied any breach at its end, accurate information about vaccine takers’ government ID cards, mobile numbers, addresses, and dates of birth was found to be leaked on a Telegram channel. According to cyber security professionals, the nature of datasets stored with the CoWin platform provides almost everything needed for sophisticated social engineering tactics.

“Both CoWIN and Aadhaar data of India is extremely sensitive and at a massive risk of cyberattacks, which can wreak havoc when in the hand of nation-state adversaries among the scammers. Furthermore, people commonly use the type of information exposed here as their passwords and security questions to access digital services,” said Himanshu Pathak, the managing director at CyberX9.

Information like government ID numbers such as Aadhaar, passports, or PAN become persuasive records, as they cannot be changed or erased for a particular individual.

According to Kumar Ritesh, founder, chairman and chief executive officer (CEO) of external threat management company CYFIRMA, adversaries can continuously use such information in their favour and in different scenarios.

“The leaked data gives enough information for perpetrators to breach into banking systems and other platforms used in day-to-day business. With the use of leaked elements, cyber threat actors may also attempt more ‘brute force’ attacks by using combinations of first name, date of birth, etc. We have seen historically in many cases, such information has been capitalised on to do that,” Ritesh said.

Brute force refers to attacks that use trial and error to guess login credentials or encryption keys. Ritesh recommends changing passwords regularly, at least once in 60 days. “Do not get lured by phishing messages with lucrative offers. Make sure that you keep a close eye on your financial systems and personal behaviour systems,” he said.

According to Kaspersky, global phishing attacks doubled in 2022. The company’s anti-phishing system successfully blocked over 500 million attempts of fraudulent access last year.

“Such data leaks don’t allow any recourse to the impacted party. They are often unaware of whether the data has been leaked or what remedial measures they need to undertake or the impact they potentially stand to face. It is high time that the government passed the data privacy Act and allowed recourse for events like these,” said Pankit Desai, co-founder and CEO of cybersecurity firm Sequretek.

The government has previously expressed intentions to repurpose digital health platforms Arogya Setu and CoWIN to address certain health issues in the country. The security of data on these platforms becomes more crucial, as experts mark health data as one of the most monetisable resources for hackers.

“This (the data leak) is a reminder that even more sensitive data such as reproductive, sexual, and mental health data is at risk of a breach as the National Digital Health Mission takes off. As we adopt technology to make our health systems better, we need regulation to keep pace and to increase accountability of all data fiduciaries including the government to prevent such breaches. Such incidents erode trust in digital ecosystems, leading to long-term damage beyond immediate privacy concerns as well,” said Aparajita Bharti, co-founder at TQH Consulting.