Telangana Government Site Flaw Exposed Sensitive Data of All Its Employees, Pensioners; Fixed Only After Three Months
Hackers could have exploited the vulnerability to launch targeted attacks
Telangana state government took over three months to protect sensitive details of its employees and pensioners from its website. The Indian Computer Emergency Response Team (CERT-In) confirmed the vulnerability and replied on email in September to say that the authorities had been intimated about the issue, and Telangana IT Secretary Jayesh Ranjan assured a fix.
In August, a server misconfiguration was found on the Telangana government site that risked exposing over 130,000 official files. Those files included thousands of government employee payslips, income tax details, and pension documents that had information including full names, addresses, bank account numbers along with IFSC codes, phone numbers, and salaries drawn, among other data.
The misconfiguration was discovered by a security researcher who goes by @_ars1an on Twitter.
Some of the exposed files also included photos and thumb impressions of various state government employees and pensioners. Similarly, tax and pension details of some senior citizens who were government employees were also vulnerable that could have been accessed by hackers for severe attacks targeting the gullible population.
“The way the whole website is designed, I won’t be surprised if the data is already dumped and ready to be downloaded from the dark Web,” the researcher told Gadgets 360.
Shortly after understanding the flaw, Gadgets 360 emailed the Telangana IT minister KT Rama Rao to inform about the exposure on August 28. The minister didn’t respond to the email.
Gadgets 360 also sent the details to Telangana IT Secretary Jayesh Ranjan on the same date. The IT Secretary replied to Gadgets 360 on August 29 where he assured a fix, and continued correspondence for over a month to follow-up on the issue. CERT-In also separately said in an email that the authorities were intimated about the vulnerability.
However, the IT team behind the Telangana government site initially just disabled the directories exposing files with confidential data and did not fix the exact flaw, according to the security researcher. It then took months to rectify the misconfiguration.
How could this data be misused?
Personal data like names and banking information is not directly something that can be used against a person. However, that does not mean it’s safe to expose this information. “People could use the data to launch phishing scams against the victims, based on their payment and bank account details,” said Srinivas Kodali, an interdisciplinary researcher working on data, society, and the Internet.
Ukraine-based cybersecurity consultant Bob Diachenko stated that while the open directory issue exposing sensitive files was no longer there on the Telangana government site, it was still quite vulnerable.
“They closed the most obvious gaps but if you just look closer — this ship is wrecked,” he told Gadgets 360. Diachenko said the site needs to be rebuilt as a whole.
Media reports suggest that the Telangana government site had some serious vulnerabilities and data security flaws in the past as well. One of those — surfaced in February 2018 — allegedly disclosed Aadhaar details of 56 lakh National Rural Employment Guarantee scheme beneficiaries and 40 lakh beneficiaries of the social security pensions. A server misconfiguration similar to the latest one was also reported in November last year.
Experts note that protecting a site from the issues like the ones affecting the Telangana government site do not require any special knowledge and can be avoided by simply deploying a Web firewall and following a proper framework.
“They are just missing the simple checks,” said Diachenko.
Sandeep Kumar Shukla, Head of Computer Science and Engineering Department, Indian Institute of Technology, Kanpur, told Gadgets 360 that the kind of work the government site required, was taught to students. He also emphasised that the state government should have found out the flaws if it had carried out a single vulnerability assessment before putting up something in the public domain.
Shukla often conducts various cybersecurity programmes and is heading a Centre for Cybersecurity and Defence of Critical Infrastructure.
“In general, there should be proper laws, compliance requirements and regulations, which would force big organisations to actually hire competent people to make sure that their information systems are secured,” he said. “Even if you have the best security professionals, you may not have 100 percent personal security, but you have to show due diligence and what you saw in this case was complete lack of due diligence.”
Though India has long planned an equivalent to Europe’s General Data Protection Regulation (GDPR), the absence of such stringent laws means that companies — and government agencies, don’t have to face consequences for public data leaks.
Advocate Prasanna S, a “coder turned lawyer”, who appeared before the Supreme Court in the Aadhaar case, told Gadgets 360 that it was imperative that the Telangana government notify the general public about the breach and the ongoing efforts to fix it. He also said that even assuming the personal details of individuals had been collected lawfully, inadequate safeguards including not following the timely breach notification process would fall foul of the landmark Puttaswamy judgement of the Supreme Court that recognised privacy as a fundamental right.
“Breach notification is an important principle of data protection, as is adoption of reasonable security practices to prevent a repeat,” he said.
Will Apple Silicon Lead to Affordable MacBooks in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.