Years of personal data leaks: Indian government’s cloud

The Indian government has finally resolved a years-long cybersecurity issue that exposed reams of sensitive data about its citizens. At fault was the Indian government’s cloud service, dubbed S3WaaS, which is billed as a “secure and scalable” system for building and hosting Indian government websites. With evidence of ongoing exposures of private data, Majumder asked TechCrunch for help getting the remaining data secured. Majumder said that some citizens’ sensitive data began spilling online long after he first disclosed the misconfiguration in 2022. The exposed data, Majumder said, potentially puts citizens at risk of identity thefts and scams.

The Indian government had long been struggling with a major cybersecurity issue that had jeopardized sensitive information about its citizens. According to a security researcher who exclusively spoke to TechCrunch, hundreds of documents containing personal data of citizens, such as Aadhaar numbers, COVID-19 vaccination records, and passport details, were left exposed online for anyone to access.

“At fault was the Indian government’s cloud service, dubbed S3WaaS, which is supposed to be a ‘secure and scalable’ system for creating and hosting government websites,” said security researcher Sourajeet Majumder.

Majumder revealed that a misconfiguration in 2022 led to the leaking of personal data stored on S3WaaS to the public. This not only made the private documents easily accessible but also caused search engines to index the information, making it possible for anyone to find sensitive data about citizens.

Upon learning of the incident, Majumder and digital rights group Internet Freedom Foundation reported it to CERT-In, India’s computer emergency response team, and the National Informatics Centre. CERT-In took immediate action and removed the links containing sensitive files from public search engines.

However, despite repeated warnings, Majumder discovered that the Indian government’s cloud service was still exposing personal information of some citizens as recently as last week. With evidence of ongoing data exposures, Majumder turned to TechCrunch for help in securing the remaining data. He also revealed that the data had been sold on a cybercrime forum before being shut down by U.S. authorities. CERT-In declined to comment on whether bad actors had accessed the exposed data.

“It’s concerning that citizens’ sensitive data, especially COVID-related health information, is being compromised. It not only puts our medical privacy at risk but also raises fears of discrimination and social exclusion,” said Majumder.

He emphasized that this incident should serve as a “wake-up call for implementing security reforms.” The true extent of the data leak is still unknown, but Majumder believes it poses a significant risk of identity theft and scams for citizens. While CERT-In did not object to TechCrunch publishing details of the security lapse, there has been no response from representatives of the National Informatics Centre and S3WaaS.

Avatar photo
Ava Patel

Ava Patel is a cultural critic and commentator with a focus on literature and the arts. She is known for her thought-provoking essays and reviews, and has a talent for bringing new and diverse voices to the forefront of the cultural conversation.

Articles: 888

Leave a Reply

Your email address will not be published. Required fields are marked *