As spotted by researchers at VPNMentor, a data dump of at least 8 million Indians PII was exposed publicly. The data collected was a part of the COVID-19 tests, where it contained their test status. Also, there’s a git repository storing the source of their government-made portal and the login credentials of the admin’s dashboard were available for anyone to access!
8 Million Indians COVID-19 Data Exposed
In a shameless act, the Uttar Pradesh (UP) government’s “Surveillance Platform Uttar Pradesh Covid-19″ portal has no proper security protocols to safeguard the citizens’ data, and allegedly exposed PII of millions of Indians. As reported by VPNMentor researchers, the portal is crafted by the UP government to track and maintain the COVID-19 data.
Firstly, the git repository containing the source code of that portal, along with data of millions of people has weak authentication protocols. Researchers say anyone with the knowledge of the site’s URL and login credentials can sing-in. Also, there’s a data dump containing the login details (username/password) of all the admins handling the portal!
What’s grueling is that the passwords set for accessing such a highly sensitive database are just of a four-digit number! Making it worse, it’s even shared by several other admins! Adding this disgusting is a directory, which has hundreds of CSV files containing the PII of at least 8 million citizens!
The data is having details about citizens COVID-19 status, alongside the contact details and history – all accessible to anyone without a password. Researchers warn such exposed data can be exploited in many ways.
For example, an ill-intent person can check and modify the patient data, his/her test results, switch results between persons.
These can result in sending non-positive people to quarantine and even ending quarantine people of positive patients earlier. Considering the sensitivity of this data, researchers contacted the UP government but haven’t received any response. But they helped to secure the open database on September 10th after contacting the CERT-In, India’s national threat response team.