The Indian government has plugged a longstanding cybersecurity leak, which exposed vast amounts of citizens' data for over two years, after persistent complaints and follow-ups by an independent security researcher.
Sourajeet Majumdar, a security researcher who brought the breach to light, told Decode numerous documents containing personal information of citizens, such as Aadhaar numbers, COVID-19 vaccination records, and passport details, were publicly accessible online.
"I became aware of the breach in 2022, following which I promptly notified the authorities and sought assistance from the Internet Freedom Foundation, " Majumdar told Decode.
"Throughout the process, although efforts were made to address some breaches, new ones continued to emerge on the open internet."
It wasn't until last week that the issue was finally resolved in its entirety, Majumdar said.
Internet Freedom Foundation is an Indian digital rights organisation which works in the domain of strategic litigation, policy engagement and civic literacy.
Government's Cloud Service Found To Be Point Of Leak
The Indian government's cloud service, known as S3WaaS, was found to be the point of leak. S3WaaS stands for Secure, Scalable and Sugamya Website as a Service. It has been touted as a cloud service which can "generate secure websites using GIGW (Guidelines for Government Websites)".
The service has been aimed at making websites user friendly, bringing in uniformity and ensuring transparency, accessibility and seamless dissemination of information.
The vulnerability, initially observed on January 16, 2022, exposed sensitive personal data, which could be readily accessed through a simple Google search. This data included Personally Identifiable Information (PII) such as the beneficiary's name, type of beneficiary, vaccination status, vaccination dose status, mobile number, document type (e.g., Aadhar, voter ID, PAN card, driver's license, passbook, passport, health insurance, service identity card, etc.), document number, age, pincode, state/union territory, district, block, facility, facility category, and registered date.
These details were accessible because they were indexed by search engines. Additionally, numerous malicious actors also took advantage of the vulnerability and subsequently released the data on various data breach marketplaces.
The breach turned out to be more extensive than initially expected. The misconfiguration vulnerability on the website enabled access to numerous confidential documents, including some containing sensitive and protected information of Indian citizens.
According to Majumdar, the volume data leaked was so much that "it was not possible to accurately estimate its true extent". In an email sent to Decode, the security researcher also shared documents which contained masked screenshots of the leaked data.
Also Read:Influencers Drum Up Publicity For The Government Without Disclaimers
Are data leaks plaguing India's cybersecurity?
Initially, Majumdar reported the incident to India’s computer emergency response team, CERT-In, and the National Informatics Centre. CERT-In promptly acknowledged the issue and removed links containing sensitive files from public search engines. However, despite repeated warnings about the data spill, personal information of some individuals continued to be exposed through the Indian government cloud service as recently as last week.
Recognising the seriousness of the situation and with evidence of ongoing exposures of private data, Majumder sought assistance from TechCrunch, a tech-focused media group, to secure the remaining data. TechCrunch reported some of the exposed data to CERT-In, and Majumder confirmed that those files are no longer publicly accessible.
The data leak in question contributes to a series of significant leaks that have occurred previously, varying in size from some comparable in scale to others smaller in volume. In fact, India ranked 5th in the list of most breached countries with 5.3 million leaked accounts in 2023.
In October 2023, Resecurity, an American cyber security company, highlighted how the personally identifiable information of 815 million Indian citizens, including Aadhaar numbers and passport details, were being sold on the dark web.
Earlier in the same year, there were reports of a suspected leak in the CoWIN portal. A bot on the messaging platform Telegram was said to be disclosing the personal information of Indian citizens. This data purportedly included names, Aadhaar numbers, and passport numbers of individuals who had registered with the COVID-19 vaccine network for vaccination purposes.
