Indian State Government Website Data Leak Exposes COVID-19 Test Results

Data Breach Exposes COVID-19 Test Results in West Bengal

A significant security vulnerability within a website operated by the West Bengal government in India led to the exposure of COVID-19 test results. The data potentially compromised belonged to hundreds of thousands, and possibly millions, of individuals who underwent testing.

Government Testing Program and the Vulnerability

The affected website served as a central component of West Bengal’s widespread coronavirus testing initiative. Following a completed test, citizens received a text message containing a link to access their results online.

However, security researcher Sourajeet Majumder identified a critical flaw. The link, incorporating a unique patient identification number, was encoded using base64, a readily reversible encoding method available through numerous online tools.

Exploitation of Sequential IDs

Because the patient identification numbers were assigned sequentially, the website’s vulnerability allowed unauthorized access to other individuals’ test results. Simply modifying the number within the browser’s address bar enabled viewing of different patient data.

Sensitive Information at Risk

The exposed test results contained a range of personally identifiable information. This included the patient’s name, sex, age, and postal address. Crucially, the results also revealed whether the test returned a positive, negative, or inconclusive finding for COVID-19.

Concerns Regarding Data Misuse

Majumder voiced concerns to TechCrunch about the potential for malicious actors to exploit the vulnerability. He highlighted the risk of data scraping and subsequent sale of the compromised information, emphasizing the privacy implications for affected individuals.

Reporting and Government Response

Majumder promptly reported the vulnerability to India’s CERT (Computer Emergency Response Team), the nation’s cybersecurity response unit. CERT acknowledged the issue via email.

He also attempted to contact the West Bengal government’s website manager, but received no response. TechCrunch independently verified the vulnerability and contacted the government, which subsequently took the website offline.

Delayed Publication and Ongoing Status

TechCrunch deliberately delayed publishing its report until the vulnerability was addressed or no longer posed a threat. As of the time of publication, the website remains inaccessible.

Scale of the Data Exposure

The precise number of exposed COVID-19 lab results remains unknown. It is also unclear if anyone besides Majumder discovered and exploited the vulnerability. When the website was taken offline in late February, over 8.5 million residents had been tested in the state.

Regional Context and Pandemic Impact

West Bengal is a densely populated Indian state, home to approximately 90 million people. Throughout the pandemic, the state government has recorded over 10,000 coronavirus-related deaths.

Recent Security Incidents in India

This incident is the latest in a series of security breaches impacting India’s response to the coronavirus pandemic in recent months.

In May of the previous year, Jio, India’s largest mobile network, acknowledged a security lapse involving a database containing data from its coronavirus symptom checker.

Furthermore, in October, a researcher discovered that Dr Lal PathLabs had left numerous spreadsheets containing millions of patient records – including COVID-19 test data – on a publicly accessible, unprotected server.

Secure Communication Channels

• Send tips securely via Signal and WhatsApp: +1 646-755-8849
• Utilize SecureDrop for file and document submissions.