Cyber Security

Data of 15 Crore Indians who received COVID vaccine is allegedly on sale

The data of 15 crore Indians who received COVID vaccine is allegedly on sale. A dark web marketplace ‘Dark Leak Market’ is allegedly selling the information of 150 million COVID-19 vaccinated Indians. Dark web criminal intelligence platform DarkTracer has shared the following tweet. The entire trove of data is available for a mere $800.

As per the shared screenshot, the leaked database contains name, mobile number, Aadhaar ID, accurate GPS location, as well as address of individuals. India had recently reached the landmark of 15 crore vaccinations.

The CoWin portal, which is used to register for vaccination slots gathers the above said information as per its privacy policy. But the privacy policy does not mention anything about GPS location, meaning it does not collect location data.

However, the authorities are yet to confirm the breach. If they choose to investigate, or comment on the issue, we will update this story further.

Update 11:30 p.m., 10th June, 2021: The Ministry of Health has issued an official statement and said that the Computer Emergency Response Team (CERT-In) is investigating the issue. It has added that “No CoWin data is shared with any entity outside the CoWin environment.”

Our attention has been drawn towards the news circulating on social media about the alleged hacking of Co-WIN system. In this connection we wish to state that Co-WIN stores all the vaccination data in a safe and secure digital environment. No Co-WIN data is shared with any entity outside the Co-WIN environment. The data being claimed as having been leaked such as geo-location of beneficiaries, is not even collected at Co-WIN.”

Update (11:32 a.m., 11th June, 2021): Independent Security Research Rajshekhar Rajaharia tweeted that the dark web website in question is running a Bitcoin scam in the name of selling breached data. It lists fake leaks and scams people. Further, no data sample is available to substantiate its claim.

Update (07:21 p.m., 12th June, 2021)

CERT-In has concluded its investigation. Dr. R.S. Sharma, Chairman of the Empowered Group on Vaccine Administration (EGVAC) as clarified that “the claims of so called hackers on the dark web, relating to alleged hacking of the Co-WIN system and data leak, is baseless. We continue to take appropriate steps as are necessary, from time to time, to ensure that the data of the people is safe with Co-WIN”.


Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.