As spotted by researchers at VPNMentor, a data dump of at least 8 million Indians PII was exposed publicly. The data collected was a part of the COVID-19 tests, where it contained their test status. Also, thereโs a git repository storing the source of their government-made portal and the login credentials of the adminโs dashboard were available for anyone to access!
8 Million Indians COVID-19 Data Exposed
In a shameless act, the Uttar Pradesh (UP) governmentโs โSurveillance Platform Uttar Pradesh Covid-19โณ portal has no proper security protocols to safeguard the citizensโ data, and allegedly exposed PII of millions of Indians. As reported by VPNMentor researchers, the portal is crafted by the UP government to track and maintain the COVID-19 data.
Firstly, the git repository containing the source code of that portal, along with data of millions of people has weak authentication protocols. Researchers say anyone with the knowledge of the siteโs URL and login credentials can sing-in. Also, thereโs a data dump containing the login details (username/password) of all the admins handling the portal!
Whatโs grueling is that the passwords set for accessing such a highly sensitive database are just of a four-digit number! Making it worse, itโs even shared by several other admins! Adding this disgusting is a directory, which has hundreds of CSV files containing the PII of at least 8 million citizens!
The data is having details about citizens COVID-19 status, alongside the contact details and history โ all accessible to anyone without a password. Researchers warn such exposed data can be exploited in many ways.
For example, an ill-intent person can check and modify the patient data, his/her test results, switch results between persons.
These can result in sending non-positive people to quarantine and even ending quarantine people of positive patients earlier. Considering the sensitivity of this data, researchers contacted the UP government but havenโt received any response. But they helped to secure the open database on September 10th after contacting the CERT-In, Indiaโs national threat response team.