Indian Government's Cloud Exposed Citizen Data for Years

The Indian government's cloud service, S3WaaS, has exposed the sensitive personal information of its citizens for years. As reported by TechCrunch, security researcher Sourajeet Majumder discovered the issue, revealing that Aadhaar numbers, COVID-19 vaccination data, and passport details were among the data compromised due to a misconfiguration in the government's cloud service.

"Because the private documents were inadvertently made public, search engines also indexed the documents," Majumder told TechCrunch. This effectively meant that anyone could search the internet to find the private data of Indian citizens.

Upon discovering the data exposure, Majumder collaborated with the Internet Freedom Foundation to report the vulnerability to India's computer emergency response team, CERT-In, and the National Informatics Centre. CERT-In acted swiftly to remove the sensitive files from public search engines, although Majumder observed that some personal information continued to be exposed until recently.

Additional reports have highlighted similar data exposures involving Indian citizens. India Today revealed at the start of the year that the personal data of 750 million telecom users were being sold on the dark web. Livemint reported that in October of last year, around 815 million Indians' personal information, including Aadhaar and passport details, found its way onto the dark web, with a threat actor offering the data for $80,000.

As these incidents come to light, they serve as a wake-up call for the Indian government and organizations to strengthen their cybersecurity measures and protect the personal information of their citizens. The recurring nature of such incidents, including previous data breaches like the e-payments data leak in 2020, puts a spotlight on the ongoing challenges in securing digital data and the critical need for robust data protection protocols to prevent future exposures.