Personal data of thousands of people in India has been leaked from a government server which includes their name, mobile number, address and COVID test result, and the information can be accessed through online search.
The leaked data has been put on sale on Raid Forums website where a cyber criminal claims to have personal data of over 20,000 people. The data put on Raid Forums shows name, age, gender, mobile number, address, date and result of COVID19 report of these people, according to media reports.
Cybersecurity researcher Rajshekhar Rajaharia also tweeted that personally identifiable information (PII) including name and COVID19 results are made public through a content delivery network (CDN).
He said that Google has indexed lakhs of data from the affected system. “PII including Name, MOB, PAN, Address etc of #Covid19 #RTPCR results & #Cowin data getting public through a Govt CDN. #Google indexed almost 9 Lac public/private #GovtDocuments in search engines. Patient’s data is now listed on #DarkWeb. Need fast deindex,” Rajshekhar Rajaharia said in his tweet.
An email query sent to the Ministry of Electronics and IT did not elicit any reply. The sample document shared on Raid Forums shows that the leaked data was meant for upload on the Co-WIN portal. The Aarogya Setu app was made mandatory for people to download for all the latest updates related to COVID19.
The government of India has heavily relied on digital technologies in order to control and create awareness about the COVID19 pandemic and the vaccination programme.
Rajaharia in a follow-up tweet on 22/01/22 said “Our data on the #Cowin portal is 100 per cent safe. There is no #dataleak from Cowin Server. PDF files of RT-PCR results/beneficiary including PII were getting indexed by Google from a CDN server. Hackers had posted them on DarkWeb Forum. Seems deleted now.”