The Indian government has finally fixed a cloud security issues that leaked personal data online for years

News
By Sead Fadilpašić
published

A two-year-old flaw was finally fixed

Laptop with binary computer code and India flag on the screen
(Image credit: Shutterstock)

The Indian government has fixed a cloud security issue that leaked personal data online for years.

Back in 2022, security researcher Sourajeet Majumder discovered that the Indian government was spilling sensitive data on hundreds of individuals, including Covid-19 vaccination data, passport information, and Aadhaar numbers (government identification numbers). The leak was due to a misconfigured database provided by the Indian government’s cloud service, S3WaaS. 

As a result of this misconfiguration, the data was made public on the wide web, and search engines soon indexed the files. Therefore, whoever searched for the data, using any of today’s most popular search engines, would be able to easily find it.

Data for sale

While Majumder managed to get the search engines to pull down the links, with the help of digital rights organization the Internet Freedom Foundation, the government’s computer emergency response team (CERT-In), and the Indian government’s National Informatics Centre, the government kept leaking the data.

A report on TechCrunch claims the data was leaking as recently as last week but, with the help of the publication, was finally secured.

Majumder told the media that the true extent of the data leak is impossible to determine, but stated that threat actors were selling the data on known cybercrime forums. Hackers were using the information to mount identity theft scams and phishing attacks.

“More than that, when sensitive health information like COVID test results and vaccine records get out, it’s not just our medical privacy that’s compromised — it stirs fears of discrimination and social rejection,” he said.

Misconfigured databases continue to be one of the biggest causes of data spills, nowadays. Many organizations hold vast troves of employee, client, and customer data on publicly accessible locations, without even a password to protect them. Earlier this year, it was reported that the entire population of Brazil may have had its sensitive data exposed this way.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.