Health Minister Dr Harsh Vardhan on Thursday dismissed the reports about the Co-WIN platform being hacked, as “fake”. Vardhan said the data that was speculated to have been leaked — such as the geo-location of beneficiaries — is not even collected on Co-WIN. Vardhan added that “all data on Co-WIN is stored in a secure digital environment and is not shared with anyone outside of it.” He said that for “abundant precaution”, the matter is being investigated by the Ministry of Electronics and Information Technology (MeitY) response team.
All data on #CoWIN is stored in a secure digital environment and is not shared with anyone outside of it.@PMOIndia @MoHFW_INDIA @PIB_India #Unite2FightCorona #IndiaFightsCorona #IndiaFightsCOVID19
— Dr Harsh Vardhan (@drharshvardhan) June 10, 2021
Dr RS Sharma, chairman of the Empowered Group on Vaccine Administration (Co-WIN), also clarified that “our attention has been drawn towards the news circulating on social media about the alleged hacking of the Co-WIN system. In this connection, we wish to state that Co-WIN stores all the vaccination data in a safe and secure digital environment. No Co-WIN data is shared with any entity outside the Co-WIN environment. The data being claimed as having been leaked such as the geo-location of beneficiaries, is not even collected at Co-WIN”, according to PTI.
Where did the claim about the Co-WIN breach come from?
Late on Thursday, a website called Dark Leak Market on the DarkWeb posted that the COVID-19 vaccination data of 150 million Indians were up for purchase. The post claimed that the alleged hack revealed user data including name, mobile number, Aadhaar ID, GPS location, state etc. The Dark leak Market website also stated that they weren’t the “original leaker” of the data, just the resellers.
[ALERT] Dark Leak Market on the DarkWeb has posted a post selling information of 150 Million COVID19 Vaccinated People of India. pic.twitter.com/32Chmcao9W
— DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) June 10, 2021
On Thursday evening, French security researcher Baptiste Robert aka Elliot Alderson also re-tweeted the post by ‘Dark Leak Market’, but later deleted it.
The Co-WIN hack claim could be a Bitcoin scam
Hours after the post claiming the alleged Co-WIN hack, security researcher Rajshekhar Rajaharia revealed in a Twitter post that the portal was not hacked, and the claim was actually a “Bitcoin scam”.
Rajaharia said “this market is frequently posting fake data leaks and scamming people. They are just taking Bitcoin for nothing. Data Sample also not available anywhere.”
This market is frequently posting fake data leaks and scamming people. They are just taking Bitcoin for nothing. Data Sample also not available anywhere.#InfoSec #DataLeak https://t.co/kczBywifcJ
— Rajshekhar Rajaharia (@rajaharia) June 10, 2021
Rajaharia also pointed out that the hackers were demanding a fee to buy the sample data and revealed no evidence to prove the hack.
This is the latest screenshots of this Fake Dark Leak Market. They are also charging for Sample Data. Not a single line of leaked data avail to trust this leak. #InfoSec pic.twitter.com/tMTwKElMR3
— Rajshekhar Rajaharia (@rajaharia) June 10, 2021
The hackers were selling the “sample data” for $180.
Huh!! Price for the sample data is 180 USD in Bitcoin…#InfoSec pic.twitter.com/zfCXtQ6JiG
— Rajshekhar Rajaharia (@rajaharia) June 10, 2021