Bleeping Computer is reporting that over 8 million medical records have been leaked in India. The leaked records are COVID-19 test results stored in the Health and Welfare Department of West Bengal, India. More than just COVID-19 results, however, entire chunks of sensitive data were also found in these reports. Such information would allow for social engineering attacks, identity theft, and a whole swath of other cybercriminal activities.
The COVID-19 test results leak was uncovered by an alert teenage InfoSec expert, Sourajeet Majumder, who spoke exclusively to the publication on the matter stating:
I have found an issue in an Indian Government site which is resulting in the leakage of test reports of EVERYONE who took a COVID-19 test in a particular state... These reports have sensitive information about the citizens in them like name, age, date and time of sample testing, residence address, etc.
The leaked reports were encoded in base64, which as Majumber found, actually had no effect on seeing the report. Stripping away the encoding still allowed the report to be seen, as did leaving it in place. What this means is that URL enumeration was how a malicious attacker could access the reports. Bleeping Computer gave an example that mimicked the process:
The Indian government IT division responsible for the West Bengal Health and Welfare Department was alerted to the issue by the publication and Sourajeet Majumber. As a result of this, the leak on the website was patched; if the endpoints are accessed now, it esplanades an error message.
This is not the first time in recent months that major data security issues have occurred with COVID-19 test results in India. Back in January 2021, Bleeping Computer was made aware of numerous Indian government websites accidentally leaking the test results data. Whether this is the last time remains to be seen.
Featured image: Shutterstock