The Indian authorities has lastly resolved a years-long cybersecurity subject that uncovered reams of delicate knowledge about its residents. A safety researcher completely instructed TechCrunch he discovered no less than lots of of paperwork containing residents’ private data — together with Aadhaar numbers, COVID-19 vaccination knowledge, and passport particulars — spilling on-line for anybody to entry.
At fault was the Indian authorities’s cloud service, dubbed S3WaaS, which is billed as a “secure and scalable” system for constructing and internet hosting Indian authorities web sites.
Safety researcher Sourajeet Majumder instructed TechCrunch that he discovered a misconfiguration in 2022 that was exposing residents’ private data saved on S3WaaS to the open web. As a result of the non-public paperwork had been inadvertently made public, search engines like google additionally listed the paperwork, permitting anybody to actively search the web for the delicate non-public citizen knowledge.
With help from digital rights group the Web Freedom Basis, Majumder reported the incident on the time to India’s pc emergency response crew, referred to as CERT-In, and the Indian authorities’s Nationwide Informatics Centre.
CERT-In shortly acknowledged the problem, and hyperlinks containing delicate recordsdata from public search engines like google had been pulled down.
However Majumder mentioned that regardless of repeated warnings in regards to the knowledge spill, the Indian authorities cloud service was nonetheless exposing some people’ private data as not too long ago as final week.
With proof of ongoing exposures of personal knowledge, Majumder requested TechCrunch for assist getting the remaining knowledge secured. Majumder mentioned that some residents’ delicate knowledge started spilling on-line lengthy after he first disclosed the misconfiguration in 2022.
TechCrunch reported a few of the uncovered knowledge to CERT-In. Majumder confirmed that these recordsdata are not publicly accessible.
When reached previous to publication, CERT-In didn’t object to TechCrunch publishing particulars of the safety lapse. Representatives for the Nationwide Informatics Centre and S3WaaS didn’t reply to a request for remark.
Majumder mentioned it was not attainable to precisely estimate the true extent of this knowledge leak, however warned that dangerous actors had been purportedly promoting the information on a recognized cybercrime discussion board earlier than it was shuttered by U.S. authorities. CERT-In wouldn’t say if dangerous actors accessed the uncovered knowledge.
The uncovered knowledge, Majumder mentioned, probably places residents vulnerable to identification thefts and scams.
“More than that, when sensitive health information like COVID test results and vaccine records get out, it’s not just our medical privacy that’s compromised — it stirs fears of discrimination and social rejection,” he mentioned.
Majumder famous that this incident must be a “wake-up call for security reforms.”
