![](data:image/svg+xml;charset=utf-8,<svg height="683" width="1024" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Image credits: Jakub Porzycki/NurPhoto/Getty Images
The Indian government has finally resolved a long-standing cybersecurity issue that exposed large amounts of sensitive data about its citizens. At least hundreds of documents containing citizens' personal information, including Aadhaar numbers, COVID-19 vaccination data, and passport details, are publicly accessible, a security researcher exclusively tells TechCrunch. It was discovered that it had been leaked online.
At issue was an Indian government cloud service called S3WaaS, which is touted as a “secure and scalable” system for building and hosting Indian government websites.
Security researcher Sourajeet Majumder told TechCrunch that he discovered a misconfiguration that would expose citizens' personal information stored in S3WaaS to the open internet in 2022. Because private documents were accidentally made public, search engines also indexed them, allowing anyone to actively search the Internet for sensitive civilian data.
With support from digital rights group Internet Freedom Foundation, Majumder reported the incident to India's Computer Emergency Response Team, known as CERT-In, and the Indian government's National Informatics Center at the time.
CERT-In quickly acknowledged the issue and links containing sensitive files from public search engines were removed.
However, Majumdar said that despite repeated warnings about data breaches, the Indian government's cloud services continued to expose the personal information of some individuals as recently as last week.
With evidence of continued exposure of personal data, Majumder asked TechCrunch for help in securing the remaining data. Majumdar said sensitive data of some citizens began leaking online long after he first disclosed the misconfiguration in 2022.
TechCrunch reported some of the leaked data to CERT-In. Majumdar confirmed that these files are no longer publicly available.
CERT-In did not object to TechCrunch publishing details of the security revocation when contacted prior to publication. Representatives for the National Center for Informatics and S3WaaS did not respond to requests for comment.
Majumdar said it was impossible to accurately estimate the true scope of the data breach, but malicious actors sold the data on known cybercrime forums before being shut down by US authorities. warned that it may have been. CERT-In did not say whether malicious parties had access to the published data.
Majumdar said the leaked data could put the public at risk of identity theft and fraud.
“Moreover, the release of sensitive health information, such as COVID-19 test results and vaccine records, not only violates our medical privacy but also stokes fears of discrimination and social rejection.” said.
Majumder said the incident should serve as a “wake-up call for security reform.”
