Cybernews researchers have uncovered a significant data breach affecting at least 3.5 million individuals in Tamil Nadu, the southernmost state in India, which imposed a mandatory COVID e-pass system last year amidst a surge in cases.
The cyber security incident, originating from the peak of the pandemic in 2020-2021, has exposed sensitive personal details of those who applied for the mandatory e-pass from the state government.
During the Covid-19 epidemic, the state government started issuing e pass to individuals for marriage, medical emergency, close relative’s death, Govt. Tender bidding, Ongoing Govt. work or if stranded only.
The investigation by Cybernews unveiled that the exposed data was stored in an open S3 bucket, containing over 3.5 million records, indicating a serious lapse in cybersecurity measures. Researchers at Cybernews point to a third-party service provider as the likely source of the data leak. Cybernews did not reveal the name of the third-party service provider.
For example, Amazon Simple Storage Service or Amazon S3 is an object storage service that offers data availability, security, and performance. Customers can use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.
The compromised information includes:
Passport number and/or copy
Mobile number and email address
Travel details and reasons for traveling (compulsory due to pandemic-related travel restrictions)
The exposed data, though originating during the peak of the pandemic, leaves the affected individuals vulnerable to identity theft and other malicious activities.
Cybernews researchers stressed the urgency for robust cybersecurity measures, emphasizing the risks associated with mishandling sensitive personal data in the context of government-issued passes. The magnitude of the exposure raises concerns about potential threats that could arise from the exploitation of such comprehensive personal information.
Following their responsible disclosure procedure, Cybernews has informed the relevant parties about the breach. As of the current update, the dataset has been secured. However, the potential repercussions of this breach remain substantial, including the risk of identity theft, phishing attacks, and financial fraud.
Despite reaching out to both the Tamil Nadu state government and the suspected third-party service providers for an on-the-record comment, Cybernews has yet to receive any response, leaving the affected individuals in limbo regarding the fate of their compromised data. The incident serves as a stark reminder of the critical need for stringent cybersecurity measures, especially in handling sensitive personal information tied to government-issued passes.