The personal data of thousands of people in India has been leaked from a government server which includes their name, mobile number, address and Covid test result, and this information can be accessed via an online search.
The leaked data was put up for sale on the Raid Forums site where a cybercriminal claims to have the personal data of over 20,000 people. The data put on Raid Forums shows the name, age, gender, mobile number, address, date and result of the Covid-19 report of these people.
Cybersecurity researcher Rajshekhar Rajaharia also tweeted that Personally Identifiable Information (PII), including name and Covid-19 results, are made public through a Content Delivery Network (CDN).
He said Google had indexed thousands of data from the affected system. “PII, including name, MOB, PAN, address, etc. of #Covid19 #RTPCR results and #Cowin data made public via a government CDN. #Google has indexed nearly 9 public/private Lac # GovtDocuments in search engines. Patient data is now listed on #DarkWeb. Need de-indexing fast,” Rajaharia said in his tweet.
An e-mail query sent to the Ministry of Electronics and Computers did not elicit a response. The sample document shared on the Raid forums shows that the leaked data was meant to be uploaded to the Co-WIN portal.
The government has relied heavily on digital technologies to control and raise awareness about the Covid-19 pandemic as well as its vaccination programme.
Several ministries are asking people to use the Aarogya Setu app for Covid-19 related services and information. Rajaharia in a follow-up tweet on January 20 said he was not reporting any vulnerabilities in this incident, but warning people to remain vigilant for scam calls, Covid-19 related offers, etc. they might receive as their data is sold in the dark web. Data sold on the dark web is often exploited by cybercriminals and fraudsters for various types of fraud.