A COVID-19 surveillance tool that was apparently built by the state government of Uttar Pradesh put the data of 80 lakh citizens at risk, according to a report. The tool was found to have numerous vulnerabilities that all were exposing personally identifiable information data that included full names, ages, genders, resident addresses, and phone numbers of every individual who was tested for COVID-19 in the country's biggest state and its other parts, according to researchers. The data breach got secured on September 10 — over a month after it was first noticed.
Researchers from virtual private network (VPN) service provider VPNMentor noticed the data breach through the tool called “Surveillance Platform Uttar Pradesh COVID-19” on August 1. The surveillance platform was compromised through various vulnerabilities and all of them were pointing to a severe lack of security, the researchers noted in a blog post.
The first vulnerability was found in an unsecured git repository that contained a “data dump” of stored login credentials including usernames and passwords for admin accounts on the platform. Based on the initial discovery, VPNMentor analysts Noam Rotem and Ran Locar discovered an exposed Web index that contained a directory listing of CSV files. Those files listed all known cases of COVID-19 testing in Uttar Pradesh and other parts of India, reaching the amount of over 80 lakh people. There were data such as full names, addresses, and phone numbers along with test results of individuals.
The Web index also included the data of non-Indian citizens and foreign residents. Further, there were lists that had the information about many healthcare workers, according to the discovery.
Researchers mentioned in the blog post that the Web index was accessible without any password and was completely open to the public.
“While the directory listing didn't directly impact Uttar Pradesh's surveillance platform, it severely compromised the safety of the millions of people listed in the CSV files, whose data probably originated from the surveillance platform and other sources,” the researchers said.
After collecting the details from the discovery, the researchers submitted the report to share with the Indian government. The report was forwarded to the country's Computer Emergency Response Team CERT-In on August 27. The team of researchers also reached the UP cybercrime department, though it didn't respond. On September 7, CERT-In was reached out again by the researchers that eventually helped fix the issues, as per the blog post.
“Such malicious actions would have many real-world consequences on the effectiveness of Uttar Pradesh's response and action against coronavirus, potentially causing extreme disruption and chaos,” the researchers noted.
There is no information whether any of the exposed data was compromised by an attacker. However, the researchers at VPNMentor believe that the effect of the vulnerabilities in the surveillance tool could be felt far beyond the authorities working on COVID-19 relief in Uttar Pradesh.
Should the government explain why Chinese apps were banned? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.