After a prolonged cybersecurity debacle, the Indian government has finally addressed an issue that led to the widespread exposure of its citizens’ confidential information. A cybersecurity expert revealed to Egeronix the discovery of numerous documents leaking online, which contained private details of individuals, such as Aadhaar numbers, COVID-19 immunization records, and passport information.
The problem originated from the Indian government’s cloud platform, known as S3WaaS, marketed as a “secure and scalable” framework for the creation and maintenance of websites for the Indian government.
In 2022, cybersecurity expert Sourajeet Majumder uncovered a configuration error in the S3WaaS platform, resulting in the leak of personal information to the public domain. This oversight allowed the data to be indexed by search engines, making it easy for anyone to find the exposed information online.
Majumder, with the assistance of the digital advocacy group Internet Freedom Foundation, reported the flaw to the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre of the Indian government.
CERT-In promptly recognized the problem and removed the exposed links from public search engines.
Despite the initial fix, Majumder observed that the government’s cloud service continued to leave personal details of some citizens exposed up until recently.
After detecting more instances of private data leakage, Majumder sought TechCrunch’s intervention to ensure the data was secured. He mentioned that the leakage of sensitive information had persisted well beyond the initial report of the configuration mistake in 2022.
Following TechCrunch’s report to CERT-In, the compromised files were secured.
Before the story was published, CERT-In did not challenge the details being disclosed. Attempts to get comments from the National Informatics Centre and S3WaaS went unanswered.
Majumder highlighted the difficulty in assessing the full scope of the data breach but mentioned that criminals had reportedly been trading the data on a notorious cybercrime forum before it was taken down by U.S. law enforcement. CERT-In did not comment on whether malicious parties had accessed the data.
According to Majumder, the leak could expose citizens to identity theft and fraudulent schemes. He emphasized the broader implications for privacy, especially concerning health information like COVID-19 test results and vaccination statuses, raising concerns over potential discrimination and societal exclusion.
This incident, Majumder suggests, should serve as a critical prompt for security enhancements.
