A significant cybersecurity breach in India has exposed sensitive personal data of citizens, including Aadhaar numbers, COVID-19 vaccination records, and passport details, due to a misconfiguration in the Indian government’s cloud service, S3WaaS.
Security researcher Sourajeet Majumder discovered the misconfiguration back in 2022 and promptly reported it to India’s computer emergency response team (CERT-In) and the National Informatics Centre, with assistance from the Internet Freedom Foundation.
While CERT-In acknowledged the issue and took down links containing sensitive files from public search engines, some personal information remained exposed despite repeated warnings.
Seeking further assistance, Majumder collaborated with TechCrunch to secure the remaining data.
TechCrunch reported some exposed data to CERT-In, leading to its removal from public access.
However, representatives for the National Informatics Centre and S3WaaS remained silent despite requests for comment, leaving uncertainties about the government’s response to the breach.
The true extent of the data leak remained uncertain, but Majumder raised concerns about bad actors purportedly selling the data on a cybercrime forum, which was later shut down by U.S. authorities.
The exposure of such sensitive data poses significant risks to citizens, including identity theft and scams. Moreover, the leakage of health information raises concerns about discrimination and social rejection.
Majumder stressed the urgent need for security reforms in response to this incident, emphasizing the potential impact on citizen privacy and security.
