Cyber Incident Victim: CoWIN
Date:
Dec 2022
Location:
India
Summary
A cyber incident involving India's COVID-19 vaccination registration platform exposed user data for sale on the Dark Web, with threat actors claiming access to administrative interfaces containing sensitive information such as patient IDs, sample IDs, phone numbers, and vaccination clinic details. The breach reportedly targeted the Andhra Pradesh regional node, evidenced by leaked records of 100 to over 500,000 users, though the hacker appeared limited to compromised administrator accounts rather than full system access. Data authenticity remained unverified at the time of reporting, with the actor soliciting buyers via Telegram without disclosing pricing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In December 2022, a threat actor advertised the sale of user data from India’s CoWIN COVID-19 vaccination portal on a Dark Web forum, following a breach of the Andhra Pradesh state node. The hacker claimed access to the portal’s administrative interface, sharing screenshots displaying sensitive fields including Patient ID, Sample ID, secretariat names, citizen names, mobile numbers, and result dates. Evidence included administrative panel images and an Excel sheet listing 100 Andhra Pradesh users’ phone numbers and Patient IDs, purportedly validating the breach’s authenticity. The actor initially offered data for 5,000 users but later asserted possession of over 500,000 accounts, though the claims remained unverified. The compromised data extended beyond individual records to include vaccination clinic details, administrator accounts, and provider information. No financial demands were publicly specified, with negotiations directed to the hacker’s Telegram contact. The breach appeared limited to an administrator account for the Andhra Pradesh subdomain (CoWIN.ap.gov.in), not the central CoWIN.gov.in infrastructure operated by India’s Ministry of Health and Family Welfare.
The incident raised concerns about unauthorized access to health data, though its operational impact on national vaccination efforts was unclear. The hacker’s posts emphasized regional targeting, with all sampled records linked to Andhra Pradesh districts. No government or CoWIN operator statements were referenced in the source material to confirm or refute the breach’s scope. The absence of pricing details or bulk data samples beyond the 100-record proof left the threat actor’s capabilities ambiguous. CoWIN’s role as a central repository for citizen vaccination data heightened sensitivities around potential misuse, such as identity theft or targeted scams using leaked phone numbers. The breach followed closely after a separate cyberattack on Delhi’s All India Institute of Medical Sciences (AIIMS), though no connection between the incidents was asserted. The narrative concluded with unresolved questions regarding data verification, exploitation timelines, and systemic vulnerabilities in regional CoWIN nodes.