Uttar Pradesh government Data Breach (2020)

Over eight million patients in India had their personal and medical details exposed after security researchers discovered multiple vulnerabilities in a government-run COVID-19 surveillance system. The “Surveillance Platform Uttar Pradesh Covid-19” software was first discovered by vpnMentor researchers via a web scan on August 1 2020. After contacting CERT-In and the cybercrime department of the Uttar Pradesh government, the issues were finally remediated on September 10. The research team found two main problems: an unsecured git repository containing code for the platform as well as plain text admin credentials and a separate index of CSV files containing daily COVID-19 patient reports, which was accessible without a password. Personal data exposed included full names, addresses, phone numbers, diagnoses, symptoms and medical records. Even worse, the passwords in the git repository were listed twice, once in easy-to-crack, unsalted MD5 hashes. Most were simply four-digit numbers, often linked to the same code as that of the platform’s administrators, the report noted.