Tech | Visa | Scholarship/School | Info Place

India’s government cloud has been leaking citizens’ personal data online for years

The Indian government has finally resolved a years-long cybersecurity issue that exposed vast amounts of sensitive data about its citizens. A security researcher told TechCrunch exclusively that he has discovered that at least hundreds of documents containing citizens’ personal information — including Aadhaar numbers, COVID-19 vaccination data, and passport details — were leaked online and can be accessed by anyone.

The problem lies with the Indian government’s cloud service, known as S3WaaS, which is promoted as a “secure and scalable” system for building and hosting Indian government websites.

Security researcher Sourajeet Majumder told TechCrunch that he discovered a misconfiguration in 2022 that exposed citizens’ personal information stored on S3WaaS to the open internet. As private documents are inadvertently made public, search engines also index them, allowing anyone to proactively search the Internet for sensitive private citizen data.

Majumder, with the support of digital rights group Internet Freedom Foundation, reported the incident to the Computer Emergency Response Team of India (CERT-In) and the Indian government’s National Informatics Center at the time.

CERT-In quickly acknowledged the problem and removed links containing sensitive documents from public search engines.

But Majumder said that despite repeated warnings about data breaches, the Indian government cloud service was still exposing the personal information of some individuals until last week.

In light of evidence of continued exposure of private data, Majumder asked TechCrunch to help secure the remaining data. Majumder said that long after he first disclosed the misconfiguration in 2022, some citizens’ sensitive data began to be leaked online.

TechCrunch reported some of the exposed data to CERT-In. Majumder confirmed that the documents are no longer publicly accessible.

CERT-In did not object to TechCrunch publishing details of the security vulnerability before publication. Representatives from the National Information Center and S3WaaS did not respond to requests for comment.

Majumder said it was impossible to accurately estimate the true extent of the data breach, but warned that bad actors allegedly sold the data on a known cybercrime forum before U.S. authorities shut down the forum. CERT-In will not disclose whether bad actors accessed the exposed data.

Exposed data could put citizens at risk of identity theft and fraud, Mazumde said.

“What’s more, when sensitive health information such as COVID-19 test results and vaccine records are leaked, it’s not just our medical privacy that’s compromised, it’s also fueling fears of discrimination and social exclusion,” he said.

Mazumde pointed out that this incident should “sound the alarm for security reforms.”

#Indias #government #cloud #leaking #citizens #personal #data #online #years

Leave a Reply

Your email address will not be published. Required fields are marked *