The COVID-19 surveillance tool built by the Uttar Pradesh state government has put data of approx. 8 million Indian citizens at risk.
A research report from VPNmentor revealed that a COVID-19 surveillance tool dubbed Surveillance Platform Uttar Pradesh COVID-19 was compromised on August 1st, leading to a massive data breach.
According to researchers, various vulnerabilities were exploited to compromise the surveillance platform, but the primary reason behind the breach was a severe lack of security.
VPNnentor researchers noted that the regional government of Uttar Pradesh developed the tool as part of a large-scale mapping project. Its primary purpose was to track and trace coronavirus patients across India, and the lack of “data security protocols inadvertently left access to the platform-wide open,” exposing the data of millions in India.
Researchers claim that the tool contained many vulnerabilities, all of which were exposing personally identifiable information data. The exposed data includes full names, gender, age, residential address, and contact numbers of everyone who had tested COVID-19 positive in Uttar Pradesh (UP), one of the country’s largest states, and other parts of India.
The data was secured a month after VPNmentor’s team discovered it. According to VPNMentor’s analyst Ran Locar and Noam Rotem, the first vulnerability was identified in an unsecured and unencrypted git repository containing a “data dump” of login credentials, which included admin accounts usernames and passwords stored on the platform.
According to vpnMentor’s blog post, based on this discovery, the researchers found an exposed Web Index containing CSV files directory listing. It had information about all known cases of COVID-19 in UP and other locations in India.
Sensitive private data, including full name, phone numbers, addresses, and test results of approximately 8 million citizens, was part of the listing. This Web Index also contained information about foreign residents, non-Indians, and healthcare workers, and wasn’t protected with a password.
Researchers believe that although the directory listing hasn’t impacted UP’s surveillance system directly, it certainly has “severely compromised the safety of the millions of people listed in the CSV files, whose data probably originated from the surveillance platform and other sources.”
The researchers reported the Indian government and the UP cyber-crime department, which didn’t respond. The government shared its findings with the country’s Computer Emergency Response Team CERT-IN on August 27th. VPNMentor’s team again contacted CERT-IN on September 7th and forced the organization to fix the issue. Finally, it was fixed by September 10th.
There’s no evidence that a hacker misused the exposed data, but researchers believe that the impact of the vulnerabilities in the surveillance tool could be far-reaching.
“Such malicious actions would have many real-world consequences on the effectiveness of Uttar Pradesh’s response and action against coronavirus, potentially causing extreme disruption and chaos,” the researchers noted.