[ad_1]
The Indian government has finally solved a years-long cybersecurity problem that exposed large amounts of sensitive data about its citizens. A security researcher exclusively told TechCrunch that he found at least hundreds of documents containing citizens’ personal information — including Aadhaar numbers, coronavirus vaccination data, and passport details — spread online for anyone to access.
The fault was the Indian government’s cloud service, called S3WaaS, which is described as a “secure and scalable” system for building and hosting Indian government websites.
Security researcher Sourajeet Majumder told TechCrunch that he discovered a misconfiguration in 2022 that was exposing citizens’ personal information stored on S3WaaS to the open internet. As private documents were inadvertently made public, search engines also indexed the documents, allowing anyone to actively search the Internet for citizens’ sensitive private data.
With support from the digital rights organization Internet Freedom Foundation, Majumder reported the incident at the time to India’s Computer Emergency Response Team, known as CERT-In, the Indian government’s National Information Centre.
The CERT-In team quickly acknowledged the issue, and links containing sensitive files were pulled from public search engines.
But despite repeated warnings about the data leak, the Indian government’s cloud service was still exposing some individuals’ personal information as of last week, Majumder said.
With evidence of continued exposure of private data, Majumder asked TechCrunch to help secure the remaining data. Majumder said that sensitive data of some citizens began leaking online long after he first revealed the misconfiguration in 2022.
TechCrunch reported some of the exposed data to CERT-In. Majumder confirmed that these files are no longer available to the public.
When reached before publication, CERT-In did not object to TechCrunch publishing details of the vulnerability. Representatives of the National Information Center and S3WaaS did not respond to a request for comment.
Majumder said it was not possible to accurately estimate the true extent of the data leak, but warned that bad actors were selling data on a well-known cybercrime forum before it was shut down by US authorities. CERT-In will not determine whether bad actors accessed the exposed data.
Majumder said the exposed data potentially puts citizens at risk of identity theft and fraud.
“What’s more, when sensitive health information like coronavirus test results and vaccine records are made public, it’s not just our medical privacy that’s at risk — it raises fears of discrimination and social rejection,” he said.
Majumder noted that this incident should be a “wake-up call for security reforms.”
[ad_2]
Source link
