A major data security lapse, which has now been fixed, within India’s “secure and stable” government cloud, leaked millions of citizen data for years, raising serious concerns about the protection of sensitive citizen information. According to a new report by TechCrunch, a critical vulnerability within S3WaaS, a cloud service utilized by the government to build and host its websites, exposed a significant amount of personal data online for an extended period, putting millions of citizens at risk. The extent of the data leak remains uncertain.
At the heart of the matter lies the Indian government’s cloud service, known as S3WaaS, claimed to be as a secure and scalable platform for hosting government websites. It was within this framework that security researcher Sourajeet Majumder identified a critical misconfiguration in 2022. Majumder’s investigation revealed a flaw that left highly sensitive data readily accessible to anyone with an internet connection. This exposed information included Aadhaar numbers along with COVID-19 vaccination records and even passport details.
Eventually, concerned about the potential consequences, Majumder reported the issue to the Indian Computer Emergency Response Team (CERT-In) and the National Informatics Centre (NIC) two years ago. Fortunately, CERT-In acknowledged the problem swiftly, and initial steps were taken to mitigate the damage. Links containing sensitive information were removed from search engine results, hindering further exposure. However, this wasn’t the end of the story, and despite repeated warnings and attempts to patch the vulnerability, TechCrunch reports that the S3WaaS cloud service continued to expose some citizens’ personal data as recently as April 2024. This ongoing leak prompted Majumder to seek assistance from TechCrunch in order to pressure the authorities for a more comprehensive solution.
What makes this development all the more dire is the type of data exposed, as well as its discoverability. Search engines indexed the exposed files, making them easily searchable online. Malicious actors could potentially exploit this vulnerability to target individuals with personalized scams or commit large-scale identity theft. The potential consequences of this data breach are far-reaching.
This development marks the latest instance of data breaches involving the Indian government – six years ago, a major breach exposed Aadhaar data, a unique identification system for Indian citizens, potentially affecting hundreds of millions of individuals. At that time, the Unique Identification Authority of India (UIDAI) vehemently denied that any system had been compromised. Nonetheless, reports surfaced alleging unauthorized access to personal information of millions of citizens, and over 200 such websites reportedly exposed Aadhaar data and made the database public due to inadequate security measures.
Coming to the consequences of such data breaches, exposed Aadhaar numbers pose a significant threat. Aadhaar, a unique identification system, grants access to a wide range of government services and financial accounts. Malicious actors could exploit leaked Aadhaar numbers to impersonate individuals, potentially leading to unauthorized access to bank accounts, fraudulent loan applications, or even property theft. Citizens could face financial losses and a lengthy process of rectifying any fraudulent activity. Leaked COVID-19 data, including vaccination records and test results, could lead to social discrimination or even endanger individuals’ health by hindering their ability to access medical care due to fear of stigma.