\n<\/p>\n
The Indian government has finally resolved a years-long cybersecurity issue that exposed reams of sensitive data about its citizens. A security researcher exclusively told TechCrunch he found at least hundreds of documents containing citizens\u2019 personal information \u2014 including Aadhaar numbers, COVID-19 vaccination data, and passport details \u2014 spilling online for anyone to access.<\/p>\n
At fault was the Indian government\u2019s cloud service, dubbed S3WaaS, which is billed as a \u201csecure and scalable\u201d system for building and hosting Indian government websites.<\/p>\n
Security researcher Sourajeet Majumder told TechCrunch that he found a misconfiguration in 2022 that was exposing citizens\u2019 personal information stored on S3WaaS to the open internet. Because the private documents were inadvertently made public, search engines also indexed the documents, allowing anyone to actively search the internet for the sensitive private citizen data.<\/p>\n
With support from digital rights organization the Internet Freedom Foundation, Majumder reported the incident at the time to India\u2019s computer emergency response team, known as CERT-In, and the Indian government\u2019s National Informatics Centre.<\/p>\n
CERT-In quickly acknowledged the issue, and links containing sensitive files from public search engines were pulled down.<\/p>\n
But Majumder said that despite repeated warnings about the data spill, the Indian government cloud service was still exposing some individuals\u2019 personal information as recently as last week.<\/p>\n
With evidence of ongoing exposures of private data, Majumder asked TechCrunch for help getting the remaining data secured. Majumder said that some citizens\u2019 sensitive data began spilling online long after he first disclosed the misconfiguration in 2022.<\/p>\n
TechCrunch reported some of the exposed data to CERT-In. Majumder confirmed that those files are no longer publicly accessible.<\/p>\n
When reached prior to publication, CERT-In did not object to TechCrunch publishing details of the security lapse. Representatives for the National Informatics Centre and S3WaaS did not respond to a request for comment.<\/p>\n
Majumder said it was not possible to accurately estimate the true extent of this data leak, but warned that bad actors were purportedly selling the data on a known cybercrime forum before it was shuttered by U.S. authorities. CERT-In would not say if bad actors accessed the exposed data.<\/p>\n
The exposed data, Majumder said, potentially puts citizens at risk of identity thefts and scams.<\/p>\n
\u201cMore than that, when sensitive health information like COVID test results and vaccine records get out, it\u2019s not just our medical privacy that\u2019s compromised \u2014 it stirs fears of discrimination and social rejection,\u201d he said.<\/p>\n
Majumder noted that this incident should be a \u201cwake-up call for security reforms.\u201d<\/p>\n<\/p><\/div>\n