An unprotected database has led to the exposure of individual identification numbers of millions of families from India.
In a blog post, security researcher Bob Diachenko explained that the misconfigured Elasticsearch server contained the private information of families registered under Mukhya Mantri Parivar Samridhi Yojana (MMPSY), one of India’s largest social security program.
Exposed data included full names, addresses, mobile phone numbers, marital status, mother’s name, spouse name, gender, date of birth, email, Aadhar number and more.
The database also contained login and authentication tokens for administration purposes.
The server was first indexed by BinaryEdge search engine on May 21 and had remained exposed for several days. It is unknown if anybody came across the server, however, Diachenko deems it likely “given the growing number of attacks on unprotected noSQL databases” in the past year.
Upon discovery, Diachenko immediately sent multiple emails to potential administrators, and within 24 hours the instance was taken down from the public domain.
The exposure of such sensitive data poses a significant risk to those whose data were exposed. Threat actors may choose to target those affected with phishing campaigns and scams.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.