[BreachExchange] India’s COVID-19 surveillance tool exposed millions of user data

[Destry Winant]

https://www.hackread.com/india-covid-19-surveillance-tool-exposed-user-data/

The COVID-19 surveillance tool built by the Uttar Pradesh state
government has put data of approx. 8 million Indian citizens at risk.

A research report from VPNmentor revealed that a COVID-19 surveillance
tool dubbed Surveillance Platform Uttar Pradesh COVID-19 was
compromised on August 1st, leading to a massive data breach.

According to researchers, various vulnerabilities were exploited to
compromise the surveillance platform, but the primary reason behind
the breach was a severe lack of security.

VPNnentor researchers noted that the regional government of Uttar
Pradesh developed the tool as part of a large-scale mapping project.
Its primary purpose was to track and trace coronavirus patients across
India, and the lack of “data security protocols inadvertently left
access to the platform-wide open,” exposing the data of millions in
India.

Researchers claim that the tool contained many vulnerabilities, all of
which were exposing personally identifiable information data. The
exposed data includes full names, gender, age, residential address,
and contact numbers of everyone who had tested COVID-19 positive in
Uttar Pradesh (UP), one of the country’s largest states, and other
parts of India.

The data was secured a month after VPNmentor’s team discovered it.
According to VPNMentor’s analyst Ran Locar and Noam Rotem, the first
vulnerability was identified in an unsecured and unencrypted git
repository containing a “data dump” of login credentials, which
included admin accounts usernames and passwords stored on the
platform.

CSV file listing individual daily cases and PII data (Image: vpnMentor)

According to vpnMentor’s blog post, based on this discovery, the
researchers found an exposed Web Index containing CSV files directory
listing. It had information about all known cases of COVID-19 in UP
and other locations in India.

Sensitive private data, including full name, phone numbers, addresses,
and test results of approximately 8 million citizens, was part of the
listing. This Web Index also contained information about foreign
residents, non-Indians, and healthcare workers, and wasn’t protected
with a password.

Researchers believe that although the directory listing hasn’t
impacted UP’s surveillance system directly, it certainly has “severely
compromised the safety of the millions of people listed in the CSV
files, whose data probably originated from the surveillance platform
and other sources.”

The researchers reported the Indian government and the UP cyber-crime
department, which didn’t respond. The government shared its findings
with the country’s Computer Emergency Response Team CERT-IN on August
27th. VPNMentor’s team again contacted CERT-IN on September 7th and
forced the organization to fix the issue. Finally, it was fixed by
September 10th.

There’s no evidence that a hacker misused the exposed data, but
researchers believe that the impact of the vulnerabilities in the
surveillance tool could be far-reaching.

“Such malicious actions would have many real-world consequences on the
effectiveness of Uttar Pradesh’s response and action against
coronavirus, potentially causing extreme disruption and chaos,” the
researchers noted.