• Home
  • Internet
  • Internet News
  • COVID 19 Surveillance Tool Apparently Used in Uttar Pradesh Exposed Data of Over 80 Lakh People: Researchers

COVID-19 Surveillance Tool Apparently Used in Uttar Pradesh Exposed Data of Over 80 Lakh People: Researchers

Researchers noticed the data breach through the tool called “Surveillance Platform Uttar Pradesh COVID-19” initially on August 1.

Share on Facebook Tweet Snapchat Share Reddit Comment
COVID-19 Surveillance Tool Apparently Used in Uttar Pradesh Exposed Data of Over 80 Lakh People: Researchers

The COVID-19 surveillance tool was discovered exposing personalising identifiable data of individuals

Highlights
  • Initial vulnerability was found an unsecured git repository
  • The tool exposed names, numbers, and addresses of individuals
  • It included data of non-Indian citizens and foreign residents as well

A COVID-19 surveillance tool that was apparently built by the state government of Uttar Pradesh put the data of 80 lakh citizens at risk, according to a report. The tool was found to have numerous vulnerabilities that all were exposing personally identifiable information data that included full names, ages, genders, resident addresses, and phone numbers of every individual who was tested for COVID-19 in the country's biggest state and its other parts, according to researchers. The data breach got secured on September 10 — over a month after it was first noticed.

Researchers from virtual private network (VPN) service provider VPNMentor noticed the data breach through the tool called “Surveillance Platform Uttar Pradesh COVID-19” on August 1. The surveillance platform was compromised through various vulnerabilities and all of them were pointing to a severe lack of security, the researchers noted in a blog post.

The first vulnerability was found in an unsecured git repository that contained a “data dump” of stored login credentials including usernames and passwords for admin accounts on the platform. Based on the initial discovery, VPNMentor analysts Noam Rotem and Ran Locar discovered an exposed Web index that contained a directory listing of CSV files. Those files listed all known cases of COVID-19 testing in Uttar Pradesh and other parts of India, reaching the amount of over 80 lakh people. There were data such as full names, addresses, and phone numbers along with test results of individuals.

The Web index also included the data of non-Indian citizens and foreign residents. Further, there were lists that had the information about many healthcare workers, according to the discovery.

Researchers mentioned in the blog post that the Web index was accessible without any password and was completely open to the public.

“While the directory listing didn't directly impact Uttar Pradesh's surveillance platform, it severely compromised the safety of the millions of people listed in the CSV files, whose data probably originated from the surveillance platform and other sources,” the researchers said.

After collecting the details from the discovery, the researchers submitted the report to share with the Indian government. The report was forwarded to the country's Computer Emergency Response Team CERT-In on August 27. The team of researchers also reached the UP cybercrime department, though it didn't respond. On September 7, CERT-In was reached out again by the researchers that eventually helped fix the issues, as per the blog post.

“Such malicious actions would have many real-world consequences on the effectiveness of Uttar Pradesh's response and action against coronavirus, potentially causing extreme disruption and chaos,” the researchers noted.

There is no information whether any of the exposed data was compromised by an attacker. However, the researchers at VPNMentor believe that the effect of the vulnerabilities in the surveillance tool could be felt far beyond the authorities working on COVID-19 relief in Uttar Pradesh.


Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: COVID 19, coronavirus, Uttar Pradesh
Jagmeet Singh Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Jio Postpaid Plus Announced, Brings Unlimited Voice Calls, Access to Streaming Apps, and More

Related Stories

 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com