Indian government’s cloud spilled citizens’ personal data online for years

The Indian government has finally resolved a years-old cybersecurity problem that exposed a lot of sensitive data about its citizens. A security researcher exclusively told TechCrunch that he found at least hundreds of documents containing citizens’ personal information – including Aadhaar numbers, COVID-19 vaccination data and passport details – widespread online and accessible to all.

The fault was the Indian government’s cloud service, called S3WaaS, which is billed as a “secure and scalable” system for building and hosting Indian government websites.

Security researcher Sourajeet Majumder told TechCrunch that he found a misconfiguration in 2022 that exposed citizens’ personal information stored on S3WaaS to the open Internet. Because the private documents were inadvertently made public, search engines also indexed the documents, allowing anyone to actively search the Internet for private citizens’ sensitive data.

With the support of the digital rights organization Internet Freedom Foundation, Majumder then reported the incident to India’s Computer Emergency Response Team, known as CERT-In, and the National Emergency Response Center. Indian government IT.

CERT-In quickly recognized the problem and links containing sensitive files from public search engines were removed.

But Majumder said that despite repeated warnings about the data leak, the Indian government’s cloud service was still exposing some people’s personal information as recently as last week.

With evidence of continued private data exposures, Majumder asked TechCrunch for help in securing the remaining data. Majumder said some citizens’ sensitive data began spreading online long after he first disclosed the misconfiguration in 2022.

TechCrunch reported some of the data exposed at CERT-In. Majumder confirmed that these files are no longer publicly available.

When contacted prior to publication, CERT-In did not object to TechCrunch publishing details of the security breach. Representatives for the National Informatics Center and S3WaaS did not respond to a request for comment.

Majumder said it was not possible to accurately estimate the true scale of this data leak, but warned that bad actors may have sold the data on a known cybercrime forum before it was released. be closed by the American authorities. CERT-In would not say whether bad actors accessed the exposed data.

The exposed data, Majumder said, potentially puts citizens at risk of identity theft and scams.

“Moreover, when sensitive health information, such as COVID-19 test results and vaccination records, is disclosed, it is not just our medical privacy that is compromised: it fuels fears of discrimination and social rejection,” he said.

Majumder noted that this incident should be a “wake-up call for security reforms.”


Back to top button