The Indian government has finally resolved a long-standing cybersecurity issue that exposed a trove of sensitive data about its citizens. A security researcher exclusively told TechCrunch that he found at least hundreds of documents containing citizens’ personal information — including Aadhaar numbers, COVID-19 vaccination data and passport details — leaked online for anyone to access.
The culprit was the Indian government’s cloud service, dubbed S3WaaS, which bills itself as a “secure and scalable” system for building and hosting Indian government websites.
Security researcher Sourajeet Majumder told TechCrunch that he found a misconfiguration in 2022 that exposed citizens’ personal information stored on S3WaaS to the open internet. Because private documents were inadvertently made public, search engines also indexed the documents, allowing anyone to actively search the Internet for private citizens’ sensitive data.
With the support of the digital rights group, Internet Freedom Foundation, Majumder reported the incident at the time to India’s computer emergency response team, known as CERT-In, and the Indian government’s National Informatics Centre.
CERT-In quickly recognized the problem and links containing sensitive files from public search engines were pulled.
However, Majumder said that despite repeated warnings about the data leak, the Indian government cloud service was still exposing some people’s personal information as recently as last week.
With evidence of ongoing exposures of private data, Majumder asked TechCrunch for help securing the rest of the data. Majumder said some sensitive citizen data started leaking online long after he revealed the misconfiguration in 2022.
TechCrunch reported some of the exposed data on CERT-In. Majumder confirmed that these files are no longer publicly accessible.
When reached before publication, CERT-In did not object to TechCrunch publishing details of the security breach. Representatives for the National Informatics Center and S3WaaS did not respond to a request for comment.
Majumder said it was not possible to accurately estimate the true extent of this data leak, but warned that bad actors allegedly sold the data on a well-known cybercrime forum before being shut down by US authorities. CERT-In won’t say whether bad actors accessed the exposed data.
The exposed data, Majumder said, potentially puts citizens at risk of identity theft and fraud.
“More than that, when sensitive health information like COVID test results and vaccine records are made public, it’s not just our medical privacy that’s at stake — it raises fears of discrimination and social rejection,” he said.
Majumder noted that this incident should be a “wake-up call for security reforms.”
