UP govt’s COVID-19 tracker exposed data of 80 lakh users: Report
The coronavirus surveillance application launched by the Uttar Pradesh government has unwittingly exposed identifiable information of all the residents of the state who took COVID-19 tests, including their full name, age, gender, home address, and phone number.
September 22, 2020 / 09:21 PM IST
A COVID-19 tracker launched by the Uttar Pradesh government has “multiple bugs”, which have reportedly exposed data of over 80 lakh users, including of people residing outside the state.
The coronavirus surveillance application has unwittingly exposed identifiable information of all the residents of Uttar Pradesh who took COVID-19 tests, including their full name, age, gender, home address, and phone number. The other flaw was a vulnerable code repository that stored login credentials of administrator accounts and attackers could have gained access to the dashboard and manipulated case statuses, COVID-19 patient data, etc.
It took more than a month to secure the data breach on September 10. The Next Web reported that the data security breach was detected on August 1 and it was verified by August 9. It remains unclear if the vulnerability was exploited by cybercriminals during the span of time the data was exposed.
The shocking discovery about the ‘Surveillance Platform Uttar Pradesh Covid-19’ was made by security researchers Noam Rotem and Ran Locar, on behalf of VPNMentor – a virtual private network service provider. They had informed CERT-In – the country’s emergency cyber threat response department – about the vulnerabilities, which have now been patched; the private data is no longer exposed either.
The news comes at a time the Centre has promised action on improving cybersecurity in the country.