Telangana Government Site Flaw Exposed Sensitive Data of All Its Employees, Pensioners; Fixed Only After Three Months | Technology News
Telangana state government took over three months to protect sensitive details of its employees and pensioners from its website. The Indian Computer Emergency Response Team (CERT-In) confirmed the vulnerability and replied on email in September to say that the authorities had been intimated about the issue, and Telangana IT Secretary Jayesh Ranjan assured a fix.
In August, a server misconfiguration was found on the Telangana government site that risked exposing over 130,000 official files. Those files included thousands of government employee payslips, income tax details, and pension documents that had information including full names, addresses, bank account numbers along with IFSC codes, phone numbers, and salaries drawn, among other data.
The misconfiguration was discovered by a security researcher who goes by @_ars1an on Twitter.
Personal Data of 7 Million Indian Credit, Debit Cardholders Leaked Online
Some of the exposed files also included photos and thumb impressions of various state government employees and pensioners. Similarly, tax and pension details of some senior citizens who were government employees were also vulnerable that could have been accessed by hackers for severe attacks targeting the gullible population.
Newsbeep
Play
PubG Ban: Young Indians' Aspirations Hit The Pause Button
PubG Ban: Young Indians' Aspirations Hit The Pause Button
Play
Raja Chari, an Indian-American astronaut, is selected for NASA's manned mission to the moon
Raja Chari, an Indian-American astronaut, is selected for NASA's manned mission to the moon
Play
New Audi A4 Facelift Pre-Bookings Begin In India
New Audi A4 Facelift Pre-Bookings Begin In India
Play
Working From Home Because of COVID-19? Free Tools and Software to Maximise Your Productivity
Working From Home Because of COVID-19? Free Tools and Software to Maximise Your Productivity
Play
Russia Angara A5 Heavy-Lift Space Rocket Successfully Test-Launched For Second Time
Russia Angara A5 Heavy-Lift Space Rocket Successfully Test-Launched For Second Time
Play
Parachuting Santa Claus Gets Tangled In Power Lines
Parachuting Santa Claus Gets Tangled In Power Lines
Play
Bmw India To Hike Bmw & Mini Car Prices From January 4, 2021
Bmw India To Hike Bmw & Mini Car Prices From January 4, 2021
Play
How To Share Screen On Zoom Meeting App
How To Share Screen On Zoom Meeting App
Play
Honda Shine Crosses 90-Lakh Sales Milestone In India
Honda Shine Crosses 90-Lakh Sales Milestone In India
Play
OnePlus 8 vs Samsung Galaxy S20 vs iPhone 11: Specifications Compared
OnePlus 8 vs Samsung Galaxy S20 vs iPhone 11: Specifications Compared
Play
BMW 3 Series Gran Limousine India Launch Date Revealed
BMW 3 Series Gran Limousine India Launch Date Revealed
Play
WhatsApp: How To See Deleted Messages On Android
WhatsApp: How To See Deleted Messages On Android
Firework logo
Powered by Firework
“The way the whole website is designed, I won't be surprised if the data is already dumped and ready to be downloaded from the dark Web,” the researcher told Gadgets 360.
Shortly after understanding the flaw, Gadgets 360 emailed the Telangana IT minister KT Rama Rao to inform about the exposure on August 28. The minister didn't respond to the email.
Digital Payment Frauds Reach a New High in India During Pandemic
Gadgets 360 also sent the details to Telangana IT Secretary Jayesh Ranjan on the same date. The IT Secretary replied to Gadgets 360 on August 29 where he assured a fix, and continued correspondence for over a month to follow-up on the issue. CERT-In also separately said in an email that the authorities were intimated about the vulnerability.
However, the IT team behind the Telangana government site initially just disabled the directories exposing files with confidential data and did not fix the exact flaw, according to the security researcher. It then took months to rectify the misconfiguration.
How could this data be misused?
Personal data like names and banking information is not directly something that can be used against a person. However, that does not mean it's safe to expose this information. “People could use the data to launch phishing scams against the victims, based on their payment and bank account details,” said Srinivas Kodali, an interdisciplinary researcher working on data, society, and the Internet.
Dtrack Malware Detected in Financial Institutions in India: Kaspersky
Ukraine-based cybersecurity consultant Bob Diachenko stated that while the open directory issue exposing sensitive files was no longer there on the Telangana government site, it was still quite vulnerable.
“They closed the most obvious gaps but if you just look closer — this ship is wrecked,” he told Gadgets 360. Diachenko said the site needs to be rebuilt as a whole.
Media reports suggest that the Telangana government site had some serious vulnerabilities and data security flaws in the past as well. One of those — surfaced in February 2018 — allegedly disclosed Aadhaar details of 56 lakh National Rural Employment Guarantee scheme beneficiaries and 40 lakh beneficiaries of the social security pensions. A server misconfiguration similar to the latest one was also reported in November last year.
PM Modi’s Website’s Twitter Account Was Briefly Hacked by 'John Wick'
‘Lack of due diligence'
Experts note that protecting a site from the issues like the ones affecting the Telangana government site do not require any special knowledge and can be avoided by simply deploying a Web firewall and following a proper framework.
“They are just missing the simple checks,” said Diachenko.
Sandeep Kumar Shukla, Head of Computer Science and Engineering Department, Indian Institute of Technology, Kanpur, told Gadgets 360 that the kind of work the government site required, was taught to students. He also emphasised that the state government should have found out the flaws if it had carried out a single vulnerability assessment before putting up something in the public portal.
CERT-In Warns Organisations About Potential Spike in Cyber-Attacks on VPN
Shukla often conducts various cybersecurity programmes and is heading a Centre for Cybersecurity and Defence of Critical Infrastructure.
“In general, there should be proper laws, compliance requirements and regulations, which would force big organisations to actually hire competent people to make sure that their information systems are secured,” he said. “Even if you have the best security professionals, you may not have 100 percent personal security, but you have to show due diligence and what you saw in this case was complete lack of due diligence.”
Though India has long planned an equivalent to Europe's General Data Protection Regulation (GDPR), the absence of such stringent laws means that companies — and government agencies, don't have to face consequences for public data leaks.
Advocate Prasanna S, a “coder turned lawyer”, who appeared before the Supreme Court in the Aadhaar case, told Gadgets 360 that it was imperative that the Telangana government notify the general public about the breach and the ongoing efforts to fix it. He also said that even assuming the personal details of individuals had been collected lawfully, inadequate safeguards including not following the timely breach notification process would fall foul of the landmark Puttaswamy judgement of the Supreme Court that recognised privacy as a fundamental right.
“Breach notification is an important principle of data protection, as is adoption of reasonable security practices to prevent a repeat,” he said.
In August, a server misconfiguration was found on the Telangana government site that risked exposing over 130,000 official files. Those files included thousands of government employee payslips, income tax details, and pension documents that had information including full names, addresses, bank account numbers along with IFSC codes, phone numbers, and salaries drawn, among other data.
The misconfiguration was discovered by a security researcher who goes by @_ars1an on Twitter.
Personal Data of 7 Million Indian Credit, Debit Cardholders Leaked Online
Some of the exposed files also included photos and thumb impressions of various state government employees and pensioners. Similarly, tax and pension details of some senior citizens who were government employees were also vulnerable that could have been accessed by hackers for severe attacks targeting the gullible population.
Newsbeep
Play
PubG Ban: Young Indians' Aspirations Hit The Pause Button
PubG Ban: Young Indians' Aspirations Hit The Pause Button
Play
Raja Chari, an Indian-American astronaut, is selected for NASA's manned mission to the moon
Raja Chari, an Indian-American astronaut, is selected for NASA's manned mission to the moon
Play
New Audi A4 Facelift Pre-Bookings Begin In India
New Audi A4 Facelift Pre-Bookings Begin In India
Play
Working From Home Because of COVID-19? Free Tools and Software to Maximise Your Productivity
Working From Home Because of COVID-19? Free Tools and Software to Maximise Your Productivity
Play
Russia Angara A5 Heavy-Lift Space Rocket Successfully Test-Launched For Second Time
Russia Angara A5 Heavy-Lift Space Rocket Successfully Test-Launched For Second Time
Play
Parachuting Santa Claus Gets Tangled In Power Lines
Parachuting Santa Claus Gets Tangled In Power Lines
Play
Bmw India To Hike Bmw & Mini Car Prices From January 4, 2021
Bmw India To Hike Bmw & Mini Car Prices From January 4, 2021
Play
How To Share Screen On Zoom Meeting App
How To Share Screen On Zoom Meeting App
Play
Honda Shine Crosses 90-Lakh Sales Milestone In India
Honda Shine Crosses 90-Lakh Sales Milestone In India
Play
OnePlus 8 vs Samsung Galaxy S20 vs iPhone 11: Specifications Compared
OnePlus 8 vs Samsung Galaxy S20 vs iPhone 11: Specifications Compared
Play
BMW 3 Series Gran Limousine India Launch Date Revealed
BMW 3 Series Gran Limousine India Launch Date Revealed
Play
WhatsApp: How To See Deleted Messages On Android
WhatsApp: How To See Deleted Messages On Android
Firework logo
Powered by Firework
“The way the whole website is designed, I won't be surprised if the data is already dumped and ready to be downloaded from the dark Web,” the researcher told Gadgets 360.
Shortly after understanding the flaw, Gadgets 360 emailed the Telangana IT minister KT Rama Rao to inform about the exposure on August 28. The minister didn't respond to the email.
Digital Payment Frauds Reach a New High in India During Pandemic
Gadgets 360 also sent the details to Telangana IT Secretary Jayesh Ranjan on the same date. The IT Secretary replied to Gadgets 360 on August 29 where he assured a fix, and continued correspondence for over a month to follow-up on the issue. CERT-In also separately said in an email that the authorities were intimated about the vulnerability.
However, the IT team behind the Telangana government site initially just disabled the directories exposing files with confidential data and did not fix the exact flaw, according to the security researcher. It then took months to rectify the misconfiguration.
How could this data be misused?
Personal data like names and banking information is not directly something that can be used against a person. However, that does not mean it's safe to expose this information. “People could use the data to launch phishing scams against the victims, based on their payment and bank account details,” said Srinivas Kodali, an interdisciplinary researcher working on data, society, and the Internet.
Dtrack Malware Detected in Financial Institutions in India: Kaspersky
Ukraine-based cybersecurity consultant Bob Diachenko stated that while the open directory issue exposing sensitive files was no longer there on the Telangana government site, it was still quite vulnerable.
“They closed the most obvious gaps but if you just look closer — this ship is wrecked,” he told Gadgets 360. Diachenko said the site needs to be rebuilt as a whole.
Media reports suggest that the Telangana government site had some serious vulnerabilities and data security flaws in the past as well. One of those — surfaced in February 2018 — allegedly disclosed Aadhaar details of 56 lakh National Rural Employment Guarantee scheme beneficiaries and 40 lakh beneficiaries of the social security pensions. A server misconfiguration similar to the latest one was also reported in November last year.
PM Modi’s Website’s Twitter Account Was Briefly Hacked by 'John Wick'
‘Lack of due diligence'
Experts note that protecting a site from the issues like the ones affecting the Telangana government site do not require any special knowledge and can be avoided by simply deploying a Web firewall and following a proper framework.
“They are just missing the simple checks,” said Diachenko.
Sandeep Kumar Shukla, Head of Computer Science and Engineering Department, Indian Institute of Technology, Kanpur, told Gadgets 360 that the kind of work the government site required, was taught to students. He also emphasised that the state government should have found out the flaws if it had carried out a single vulnerability assessment before putting up something in the public portal.
CERT-In Warns Organisations About Potential Spike in Cyber-Attacks on VPN
Shukla often conducts various cybersecurity programmes and is heading a Centre for Cybersecurity and Defence of Critical Infrastructure.
“In general, there should be proper laws, compliance requirements and regulations, which would force big organisations to actually hire competent people to make sure that their information systems are secured,” he said. “Even if you have the best security professionals, you may not have 100 percent personal security, but you have to show due diligence and what you saw in this case was complete lack of due diligence.”
Though India has long planned an equivalent to Europe's General Data Protection Regulation (GDPR), the absence of such stringent laws means that companies — and government agencies, don't have to face consequences for public data leaks.
Advocate Prasanna S, a “coder turned lawyer”, who appeared before the Supreme Court in the Aadhaar case, told Gadgets 360 that it was imperative that the Telangana government notify the general public about the breach and the ongoing efforts to fix it. He also said that even assuming the personal details of individuals had been collected lawfully, inadequate safeguards including not following the timely breach notification process would fall foul of the landmark Puttaswamy judgement of the Supreme Court that recognised privacy as a fundamental right.
“Breach notification is an important principle of data protection, as is adoption of reasonable security practices to prevent a repeat,” he said.