💣💣 The inevitable has happened. #CoWINDataLeak reported by @thefourthlive @ManoramaDaily is a largest #DigitalPublicInfrastructure disaster.

Thread on some impacts.
1. What happened? What data points are exposed?

A : A telegram bot allows to query - what possibly appears entire #CoWIN database by mobile number / #Aadhaar & returns vaccination details if exists.

Name, Mobile, Gender, ID Proof used (Aadhaar/Passport), Vax centre address
If a single number of used for entire family, it returns all members who used the same number.

RS Sharma, Meenakshi Lekhi, KC Venugopal are some of whose data was available.

2. What is the size of this data leak?

A: While people were able to query anyone they knew and get details, It is unclear how much data has leaked.

I tried searching for #JusticeForSrimathi in the database and a record exists. Vaccination for minors started in Jan 2022 Image
We crossed billion jabs by late 2021 and this means at the very least billion records were exposed. #CoWINDataLeak is thus largest data leak in Indian history - surpassing #AadhaarLeaks which were at ~ 200 million
As with anything enabled by #Aadhaar - fraud in #CoWIN vaccination is also widespread - While a lot of people complained, sufficient reportage around misuse of SIM / Aadhaar in vaccination and how unknown person's vaccination certificate were SMS'd to people. We now have evidence
I used #UID of Hanuman and Pakistani Spy Mehaboob - both of which are disabled after 2016 reportage. The results are interesting.
Mehaboob - Pakistani spy - whose UID was deactivated in 2016 got 5 (or more) vaccinations.

Hanuman too got 5 (or more) vaccinations.

What this exposes - is how much of the 2 billion doses were fraudulent. The vaccine manufacturers were paid for these #CoWIN is multi Crore #SCAM ImageImage
#CoWIN has now proven to be biggest #DigitalPublicInfrastructure disaster - which we seem to be advocating to world.

Given that a large number of people's date of birth is now exposed - financial regulators like @RBI, @SEBI_India @irdaindia must issue guidelines to banks, mutual funds - to avoid any sensitive operation using date of birth to prevent fraudsters exploiting common man.
There were warnings in 2021 - it was vehimently denied - The current #CoWINDataLeak contains data until atleast early 2022.

Will @rssharma3 @UNDP_India @NandanNilekani @eGovFoundation take any accountability for the leak and risking billion people? Image
While its important to seek accountabiliy - we must understand this is largest #DigitalPublicInfrastructure disaster. All those evangalising #DPI - never wrote about disaster response.

Keep a close tab on ALL your bank accounts / insurance policies - now date of birth is public.
Password reset for any of these is one step faster for fraudster now that your date of birth is available. Never share an OTP always - but for every account you have - try password reset flow to ensure it can't be taken over.
Digital disasters are social privilege agnostic.

Bot is now deleted. Most likely @telegram might have had a request from law enforcement. cc @nixxin Image
Remember the open challenge by RS Sharma to @kingslyj exposing his UID?

Well his own #Aadhaar was used in Khliehriat CHC by someone in #CoWIN - a platform he headed.

This must tell his security credentials

#CoWINDataLeak #DigitalPublicInfrastructure disaster #DPISummit Image
the ‘digital-first’ vaccination drive essentially enabled centralized data collection by the government fully ignoring privacy concerns which other countries gave due importance to, providing paper based vaccination certificates.

thequint.com/fit/cowin-data… - @garima_sadhwani
Reminder that - @internetfreedom @no2uid and several others made a joint call - advocating data-light vaccination - which the government did not listen to.

. @thefourthlive which originally broke the #CoWINDataLeak yesterday, shows how coriander got vaccinated as well. #DPIDisaster Image
Usually, hackers reveal a slice of data publicly via a bot or web page to prove to the world they have said data and then sell it on the dark web. While the bot is down now, we don't know where all the data is being traded. wired.com/story/a-massiv… #DPIDisaster #CoWINDataLeak
Cybersecurity firm @cloudsek (which also works with Meity on several projects) - put out an 'independent' report - cloudsek.com/threatintellig…

They self-contradict in their statement. Ether they do not have access/data OR have scraped data. Image
Whoever in government is saying only year of birth was collected is lying. - The following are pieces of data a vaccinator feeds into CoWIN during vaccination - even if you didn't book online appointment. diffchecker.com/qecNUrYL/

What people ostensibly 'consented'. From messages on CoWIN vaccinator page. Image
How much was spent to collect and leak this data? $4.62 M --
What was the original stated purpose of #CoWIN ?
Adverse Events Following Immunisation or #AEFI monitoring.

How well did we achieve that? #CoWinDataLeak

What did the 'donors' and 'funders' think of the #CoWIN project?

Funding this data collection project is addressing gender issue - and there are no risks of any kind identified.

@UNDP_India shame on you info.undp.org/docs/pdc/Docum… ImageImageImage
undp.org/india/projects… - Winning Over COVID (CoWIN) - @UNDP_India - didn't age well too!
Actually - scratch the $4 M. Its actually $6.6 M spent for #CoWINDataLeak Image
Rumored breach of India’s vaccination data portal threatens to undermine DPI influence biometricupdate.com/202306/rumored… via @BiometricUpdate

#DPIDisaster #CoWINDataLeak is biggest #DigitalPublicInfrastructure disaster sponsored by billionaires
#CoWinDataLeak & case of #Aadhaar ‘infidelity’ by Ram Sewak Sharma theraisinahills.com/data-breach-ca…

More laugh lines, this time from perplexed @INCIndia on @rssharma3 'Infidelity'.
Guess who profited the most? The leaker / collector?

$956K was how much @eGovFoundation got for strengthening #CoWIN - This is bigger scam than @13footwall #CoWINDataLeak Image
The average startup gives you cashback as a bait and collects data - The philanthropist also plays the same game at different pitch no? ImageImageImageImage

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Srikanth.CashlessConsumer | ஸ்‌ரீகாந்த்

Srikanth.CashlessConsumer | ஸ்‌ரீகாந்த் Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @logic

Jun 19
#Killer DPI - Firstly for #KillerLoanApps

Neither API health, not interoperability will substitute responsible behaviour in #DigitalLending #DPIDisaster
Both #PAN and #Aadhaar are tired of the billion transformations since 2017 and the only people who gave made money is KYC startups (not even fintechs)

The top priority for railways has to be @digilocker integration, not track maintenance.

Oh please push all those auto issued insurance from IRCTC so when people die, their relatives don't need to run around.
Read 6 tweets
Mar 29
There is a lot of confusion on this #UPI charges and its being made to spread multiple 'fake news' in a area where there is clarity. This directly stems from fact - who is allowed to price on what?

#CashlessConsumer will attempt to decode this in a 🧵
1. What is being announced?

NPCI will charges #MDR for transactions above ₹2000 - when the payment mode by user is a wallet.

Note - this is not the same as using PhonePe / GPay.

It is applicable only when you use Wallet - PhonePe / PayTM are popular wallets still exist.
It is not applicable when you use UPI via banks.

2. Who is making this announcement?


3. Can NPCI make this announcement?
All Payment operators are at liberty to price payment products - except ATM interchange - which @RBI actively regulates.
Read 13 tweets
Aug 11, 2022
#UPI #AppUpdate PhonePe UPI, Payment, Recharge play.google.com/store/apps/det… Get. Set. Gold! <br><br>You can now accumulate Gold at regular intervals by setting up a Gold SIP on PhonePe! <br><br> P.S: Without worry about market risks and fluc...
#UPI #AppUpdate Pockets- Bill Payment, Recharge, UPI on wallet play.google.com/store/apps/det… Security update...
#UPI #AppUpdate Truecaller: Caller ID & Block play.google.com/store/apps/det… We keep updating our App to make it better. <br>This version brings:<br>- Our redesigned profile will show you the number of spam calls, messages and unknown numbers ...
Read 5 tweets
Aug 9, 2022
Vaccination data is shared equally between UNDP, BMGF, eGov - That all 3 is funded by @BillGates is connecting thread. #CoWIN #VaccinationCertificate #HealthData loot. -- Also #Modi photo to appease the political head of state to keep the loot silent.
$ 3.9 M - That is how much was 'donated' by GAVI to UNDP for hosting #CoWIN system. Don't be a fool to think that data hasn't gone back to funders. Image
Another $3M Image
Read 4 tweets
Jul 12, 2022
🧵on #UPI frauds. Like all millennials who keep a tab on parents devices occasionally and find strange things on phone, @amabirdman raised an SOS after seeing strange UPI related SMS and was wondering if they were victim of some fraud.
While most of us check for 'auto-installed' apps on mobile, another important thing to check - esp with #UPI fraud is - "Sent SMS". Now android doesn't have recieved / sent SMS seperately, but do stroll messages for any number being sent a message
What ever that number - take that and search on Twitter. For example - if the number is 9717465555 - then search - twitter.com/search?q=97174…

You will see a lot of people having complained about auto-consented SMS sent to HDFC.
Read 12 tweets
Jul 11, 2022
After 6 years and billions of transaction, @NPCI_NPCI talks about 'consent' while collecting geo-coords for every #UPI txn & gives 6 more months time to make such data collection a choice based consent.

Is there a #GPS coord in India - where @NPCI_NPCI doesn't have txn data
#CashlessConsumer had noted about this geo-coord collection for every txn as a key surveillance concern back in 2017 - medium.com/cashlessconsum…
In the light of recent #CrPC91 request - it is valuable to revisit the privacy guarentees in the payment systems and #PaymentsPrivacy is key to having civil liberties and is no longer a niche digital rights problem.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!