The Indian government had long been struggling with a major cybersecurity issue that had jeopardized sensitive information about its citizens. According to a security researcher who exclusively spoke to TechCrunch, hundreds of documents containing personal data of citizens, such as Aadhaar numbers, COVID-19 vaccination records, and passport details, were left exposed online for anyone to access.
“At fault was the Indian government’s cloud service, dubbed S3WaaS, which is supposed to be a ‘secure and scalable’ system for creating and hosting government websites,” said security researcher Sourajeet Majumder.
Majumder revealed that a misconfiguration in 2022 led to the leaking of personal data stored on S3WaaS to the public. This not only made the private documents easily accessible but also caused search engines to index the information, making it possible for anyone to find sensitive data about citizens.
Upon learning of the incident, Majumder and digital rights group Internet Freedom Foundation reported it to CERT-In, India’s computer emergency response team, and the National Informatics Centre. CERT-In took immediate action and removed the links containing sensitive files from public search engines.
However, despite repeated warnings, Majumder discovered that the Indian government’s cloud service was still exposing personal information of some citizens as recently as last week. With evidence of ongoing data exposures, Majumder turned to TechCrunch for help in securing the remaining data. He also revealed that the data had been sold on a cybercrime forum before being shut down by U.S. authorities. CERT-In declined to comment on whether bad actors had accessed the exposed data.
“It’s concerning that citizens’ sensitive data, especially COVID-related health information, is being compromised. It not only puts our medical privacy at risk but also raises fears of discrimination and social exclusion,” said Majumder.
He emphasized that this incident should serve as a “wake-up call for implementing security reforms.” The true extent of the data leak is still unknown, but Majumder believes it poses a significant risk of identity theft and scams for citizens. While CERT-In did not object to TechCrunch publishing details of the security lapse, there has been no response from representatives of the National Informatics Centre and S3WaaS.