In India, personal data of over a billion people who have been vaccinated against COVID-19 has been leaked. The data published contains mobile phone numbers, national identification numbers, identity card numbers, voting cards, and other personal information. This data has appeared on a well-known data stolen forum. The Indian government denies the incident, calling it “unfounded and malicious”. However, the Indian Computer Emergency Response Team (CERT-In) has been asked to investigate the facts.
According to the official vaccination portal of the Indian government, Co-Win, it is a “comprehensive cloud-based IT solution for real-time planning, implementation, and monitoring of COVID-19 vaccination”. The Indian government claims that the portal is “absolutely safe”. The government has also asked CERT-In to investigate reports that a Telegram bot provides details about certain individuals from a database of cybercriminals when entering phone numbers.
The opposition spokesperson of the “All India Trinamool Congress” party, Saket Gokhale, has criticized the Indian government for not informing citizens about the data protection violation. He has also shared excerpts of accessible data in his tweets. The Indian Minister of State responsible for information technology, Rajeev Chandrasekhar, claims that the leaked data comes from previous data leaks and that so far, no unauthorized person has accessed the Co-Win app or the Co-Win database.
The Indian government’s behavior has been called into question, with concerns about the security of Co-Win and why the government did not know about previous data leaks. The national data governance directive is supposed to create “a common framework for data storage, access, and security standards across government”. However, it remains to be seen if this directive has been effectively implemented.