India's opposition demand probe into Covid vaccination data leak

The opposition parties in India called for an inquiry on Monday (12) into the alleged breach of data on the CoWIN platform, which contains information about registered citizens who took vaccination against Covid-19. They also urged the government to take necessary action to prevent such incidents in the future.

The government, however, dismissed these claims as baseless and characterised them as "mischievous," emphasising that the CoWIN portal maintains a high level of security and privacy safeguards.

Rajeev Chandrasekhar, the Union minister of state for information technology, said that the Indian Computer Emergency Response Team (CERT-In) promptly responded to the alleged leak. He added that there is currently no evidence suggesting a direct breach of the CoWIN app or database.

However, the main opposition party, the Congress,  called for a high-level judicial investigation into the government's data management system to assess the potential risks posed to the privacy of all Indian citizens.

K C Venugopal, Congress general secretary (Organisation), emphasised that it is the responsibility of any entity, particularly the government, to prioritise the protection of individual privacy above all else.

"It is clear that no citizen can trust this government with its private information. Only an impartial, high-level judicial probe into the government's entire data management apparatus can identify the extent of danger that is posed to our privacy as a result of this government's carelessness," Venugopal said on Twitter.

He also hit out at Chandrasekhar, saying, "I am appalled at your casual response to the breach of privacy of 1.4 billion Indians."

Congress general secretary in-charge communications Jairam Ramesh said the personal data breach is a "very grave matter" with serious implications for privacy, security and makes us all vulnerable to financial frauds.

Hitting out at Chandrasekhar, he said, "The tech-savvy minister instead of issuing casual WhatsApp forward style tweets should hold a press conference at the earliest and clarify at the very least: What he means by 'previously stolen data stolen in the past' — stolen from which database, when, and what action was taken?

"If CoWIN database hasn't been 'directly breached', is the Minister then accepting that it is an indirect breach? What other databases are linked to the CoWIN database that has led to this vulnerability?" Ramesh said.

"What immediate steps is the Modi government taking to secure the personal data of crores of Indians who trusted the govt to keep their details safe," he asked.

Congress leaders also alleged it was a case of "criminal negligence" and asked why the government was sitting on a data protection law.

"In its Digital India frenzy, the government has woefully ignored citizen privacy. Personal data of every single Indian who got the Covid-19 vaccination is publicly available. Including my own data. Who let this happen? Why is the government sitting on a data protection law?" Congress MP Karti Chidambaram said.

Minister of electronics and information technology Ashwini Vaishnaw must answer, he said.

Trinamool Congress national spokesperson Saket Gokhale also attacked Vaishnaw. "This is a matter of serious national concern. And predictably, the minister-in-charge of this is Ashwini Vaishnaw who heads the Electronics, Communications, and IT portfolios in addition to Railways. How long will incompetence of Ashwini Vaishnaw be ignored by PM Modi?" he said.

In a statement, the CPI(M) demanded a thorough inquiry. "This is of serious concern and an infringement of the right to privacy which was declared by the Supreme Court as a fundamental right of all Indians. "CPI(M) demands a thorough investigation be conducted and those responsible for such a major breach in the security of personal information of Indians must be identified followed by deterrent action," the Left party said.

CPI(M) general secretary Sitaram Yechury said, "Shocking and damning. Mega data breach from the CoWin portal. Personal details of all vaccinated accessible in public domain. Thorough investigation essential & the guilty punished stringently."

Gokhale claimed that individuals whose personal data has been breached include several opposition leaders like Rajya Sabha MP and TMC leader Derek O'Brien, former Union minister P Chidambaram, Congress leaders Jairam Ramesh and KC Venugopal and Rajya Sabha MPs Sushmita Dev, Abhishek Manu Singhvi, and Sanjay Raut. He also named several journalists. "Why is the Modi government including Home Ministry not aware of this leak and why haven't Indians been informed about a data breach?" he said.

Chandrasekhar said the National Data Governance policy has been finalised that will create a common framework of data storage, access, and security standards in the country. He issued a four-point tweet, asserting in the second point that "the data being accessed by bot from a threat actor database, which seems to hv been populated with previously stolen data stolen in the past".

Reacting to it, Gokhale asked if the minister is "admitting there was a breach in Cowin in the past and data was stolen". The minister later issued another tweet clarifying his earlier post.

"Since some queries have been raised - am reiterating @IndianCERT finding - that Point number 2 in my tweet refers to previously breached or stolen data from databases other than CoWIn."

The CoWIN was developed and is owned and managed by the Ministry of Health and Family Welfare. At present, the Health Ministry said in a statement, individual-level vaccinated beneficiary data access is available at three levels.

"Without OTP, vaccinated beneficiaries' data cannot be shared to any BOT," the ministry said.

(PTI)