Personal information leaked in India is mostly fake

India's Co-Win online vaccination platform. (Source: India.com)

Experts say this could be one of the country's worst digital security breaches. The leak reportedly originated from the online vaccination platform Co-win via an automated program or "bot" on the messaging app Telegram.

Cybersecurity researchers and media outlets have reported verifying some of the personal data of politicians and other individuals that was leaked by the bot before it was removed from Telegram. The Co-Win platform contained data as well as Covid-19 vaccination records, government-issued ID numbers, dates of birth, and other passport-related information for more than 70% of India’s residents.

Dismissing the false information, Rajeev Chandrasekhar, India's Minister of State for Electronics and Information Technology (IT), said most of the leaked information shared was fake, and any authentic data taken took place before Prime Minister Narendra Modi's government came to power in 2014.

“The reported breach did not originate from Co-Win,” Rajeev Chandrasekhar stressed.

The breach has had a major impact on data security in a country that prides itself on building one of the world's largest digital public infrastructure networks.

At the same time, India is also making international appeals during its 2023 presidency of the Group of 20 leading developed and emerging economies (G20).

According to Mr. Chandrasekhar, an initial investigation suggests that the data may have come from a database owned by an unknown Telegram bot operator. He said the data, which includes information on age, location, and how much of it is fake, and the Indian government is investigating whether this is a deliberate attempt to mimic the breach.

Earlier this week, India’s health ministry, which manages the Co-Win database, also denied reports that bots could access individuals’ data using mobile numbers or numbers issued as part of the government’s “Aadhaar” digital ID program.

The ministry asserted that the allegation “has no basis whatsoever and is fraudulent in nature,” adding that the government’s Indian Computer Emergency Response Team would “look into the matter.”