tl;dr
The 'Secure, Scalable and Sugamya Website as a Service' (S3WaaS) platform of the Government of India, developed for hosting government websites, faced a significant vulnerability in January 2022. Security researcher Sourajeet Majumder discovered that the flaw could potentially lead to the exposure of sensitive personal data of around 2,50,000 Indian citizens, primarily COVID-19 vaccine beneficiaries. Despite alerts and correspondence with CERT-In and NIC, the vulnerability persisted until March 2024, when Sourajeet confirmed its resolution.
Vulnerability Explained
A potential reported vulnerability on the ‘Secure, Scalable and Sugamya Website as a Service’ (“S3WaaS”) Website of the Government of India was brought to our notice by an independent security researcher, Sourajeet Majumder, on January 17, 2022. S3WaaS is a cloud service developed for government entities to generate Secure, Scalable and Sugamya (Accessible) websites. It enables government entities to choose from various themes for generating their websites and customising and managing content efficiently, thus empowering them to maintain their online presence. Government entities requiring primarily informational websites can use the S3WaaS framework to generate and host the website under the gov.in or nic.in domain.
Sourajeet first noticed the vulnerability on January 16, 2022, when a gov.in domain was left exposed, resulting in several structured data files containing sensitive personal information of around 2,50,000 Indian citizens (mostly health workers) who had enrolled for COVID-19 vaccinations being accessible by a simple Google search. Personally identifiable information (“PII”) such as the beneficiary name, type of beneficiary, vaccination status, vaccination dose status, mobile number, document type (Aadhaar, voter ID, Pan, driving license, passbook, passport, health insurance, service identity card, etc.), document number, age, pin code, state/union territory, district, block, facility, facility category, registered date, etc. could be accessed as search engines indexed these results. Sourajeet also informed us that several malicious actors could exploit the vulnerability and had dumped the data on data breach marketplaces.
Timeline of our communication with CERT-In
Following this, IFF wrote to the Indian Computer Emergency Response Team (“CERT-In”) on January 21, 2022, reporting the bucket misconfiguration vulnerability on the S3WaaS website that allows access to several confidential, sensitive, and protected information of Indian citizens to unauthorised persons. We received a response from CERT-In on January 24, 2022, acknowledging our email and stating that they were already aware of the report and were taking appropriate actions with the concerned authorities.
Shortly after, Sourajeet brought to our notice that several confidential documents had again been indexed on search engines and were accessible to unauthorised persons. Following this, we wrote to CERT-In again on March 09, 2022, informing them that the extent of the vulnerability was more prominent than initially anticipated, with the leaked data going beyond the PII of COVID-19 vaccine beneficiaries. This was responded to by a prompt response from CERT-In on March 09, 2022, articulating that they were in the process of taking appropriate action with the concerned authority.
Finally, we also wrote to the National Informatics Centre (“NIC”), Ministry of Electronics and IT (“MeitY”) on March 17, 2022, highlighting the issue as the vulnerability could potentially jeopardise the privacy of millions of Indians, leading to identity theft of the beneficiaries and weaponisation of sensitive data against individuals or groups of individuals with the intent to threaten, influence, or exploit them. Notably, we did not receive a response from the NIC. On March 16, 2024, Sourajeet informed us that after thoroughly testing and analysing the vulnerability, he was confident that the vulnerability had been entirely resolved and that the solutions implemented were stable and efficient.
The state of cybersecurity in India
A vulnerability or data leak in the government's S3WaaS platform could pose a significant threat to the privacy and security of countless individuals. This platform is designed to host and manage websites for various government agencies, housing sensitive information ranging from personal data to governmental operations. If exploited, such a breach could result in the unauthorised access, theft, or manipulation of vast amounts of data, exposing citizens to identity theft, financial fraud, and other malicious activities. From a data protection standpoint, the consequences are severe as it undermines the fundamental rights to privacy and confidentiality. Moreover, it erodes public trust in government institutions tasked with safeguarding sensitive information, highlighting the critical need for robust cybersecurity measures and stringent data protection protocols to prevent such breaches and mitigate their repercussions.
In 2021, IFF had written to CERT-In pointing out a concerning provision in their Responsible Vulnerability Disclosure and Coordination Policy (“RVDP”) that could be used to penalise cybersecurity researchers for vulnerability disclosures, inhibiting genuine voluntary disclosures by researchers. We had recommended that this clause of the Policy be amended and that an explicit provision for the protection of genuine security disclosures from vexatious legal claims and proceedings be specified.
CERT-In responded to our representation, explaining that the Policy is an executive decision and, thus, must follow the existing provisions of the law. In light of this, we wrote to MeitY, asking them to amend the Information Technology Act, 2000 to provide a safe harbour for genuine security researchers. Given that several data breaches are not discovered and/or disclosed by the data fiduciaries but rather by independent digital security researchers, it is imperative that robust vulnerability reporting mechanisms protect vulnerability researchers from harm.
The urgent need to operationalise the Digital Personal Data Protection Act (“DPDPA”), 2023 is underscored by the increasingly pervasive threats to individuals' digital privacy and security. As technology advances, so do the methods and scale of cyberattacks, leaving individuals and organisations vulnerable to data breaches, identity theft, and surveillance. A comprehensive, robust, and rights-respecting DPDPA is essential to establish clear guidelines, regulations, and enforcement mechanisms to safeguard personal information, ensure transparency in data handling practices, and hold entities accountable for any lapses in cybersecurity protocols. The inadequacies of the DPDPA, 2023 in safeguarding data privacy and empowering data principals in the event of a breach as well as the current grim state of cybersecurity in the country reveal concerning gaps and vulnerabilities. Despite efforts to bolster cybersecurity measures, including establishing dedicated agencies and initiatives, challenges such as insufficient resources, outdated infrastructure, and a shortage of skilled professionals persist.
The rapid digitisation of critical infrastructure and services has expanded the attack surface, amplifying the need for proactive risk management strategies, enhanced collaboration between public and private sectors, and continuous investment in cybersecurity education and infrastructure. Strengthening both legislative frameworks and cybersecurity capabilities is imperative to mitigate risks, protect digital assets, and foster trust in the evolving digital landscape. Leaks in the servers of Zivame, RentoMojo, CoWIN, and AIIMS have put into question the governance mechanisms that exist in the event of such breaches.
A non-exhaustive list of data breaches that occurred in the country since 2020 is available on a publicly accessible database, PlugTheBreach, a small-scale IFF initiative aimed at covering, reporting, and tracking data breaches in India to increase transparency and public awareness.
Important documents
- Letter to CERT-In dated 21st January 2022 (Link)
- Letter to CERT-In dated 9th March 2022 (Link)
- Letter to NIC, MEITY dated 17th March 2022 (Link)
Note: This post was drafted primarily by Vinamra Harkar, Policy Intern at IFF. We would like to thank Sourajeet Majumder, an independent security researcher for his assistance throughout this process.