The COVID-19 data breach has become a common instance lately. The cost of data breaches reached a ‘record high’ last year, and it is only getting worse. As per a recent report, a government server in India was subjected to a COVID data breach, with names, contact numbers, addresses, and even test results of thousands of people being leaked online. Also Read - Nvidia CEO says video gaming market is slowing down
As per a PTI report, the leaked data was put on sale on the Raid Forums website where a cybercriminal claims to have personal data of over 20,000 people. Apparently, all of this information could be easily accessed through online research. Also Read - SpiceJet faces ransomware attack: Flights delayed, passengers stranded on airport
Rajshekhar Rajaharia, a cyber security researcher citing breach said that personally identifiable information (PII) has been made public through a content delivery network (CDN) and Google has indexed lakhs of these public and private documents possessed by the government. Rajaharia in a follow-up tweet said this intention is not to report any vulnerability in this incidence but caution people to stay vigilant from fraud calls, offers related to COVID-19. Also Read - SBI users might fall victim to this scam SMS and lose money: Here's what the government says
While the researcher pointed Cowin’s data getting public through a government CDN, the Centre reportedly denied the leak and said that it is not related to Cowin.
PII including Name, MOB, PAN, Address etc of #Covid19 #RTPCR results & #Cowin data getting public through a Govt CDN. #Google indexed almost 9 Lac public/private #GovtDocuments in search engines. Patient’s data is now listed on #DarkWeb. Need fast deindex#Infosec @IndianCERT pic.twitter.com/LgQxZZi8T6
— Rajshekhar Rajaharia (@rajaharia) January 19, 2022
“However, prima facie it appears that the alleged leak is not related to Co-WIN as we neither collect any information on address or the COVID-19 status of beneficiaries,” the ministry noted. The Government of India issued a statement and denied any data breach from the Cowin portal.
“There have been several media reports claiming that the data stored in Co-WIN portal has been leaked online. It is clarified that no data has leaked from Co-WIN portal and the entire data of residents is safe and secure on this digital platform. It is also clarified that while the Union Ministry of Health & Family Welfare will enquire into the substance of the news, prima facie the assertion is not correct, as Co-WIN collects neither the address of the person nor the RT-PCR test results for COVID-19 vaccination,” the statement read.
While pandemic has forced many to switch to digital space, cybercriminals have found an easy route to exploit data over the past year. Cybersecurity experts have time and again warned against potential identity thefts. Last year, several COVID patients’ Aadhaar details were allegedly sold on the dark web. Although there is no viable solution yet, users can save their data from getting exploited by being careful with sharing details online.