The authorities in a state in northern India uploaded a massive database of pregnancy-related sensitive records on to a server, connected it to the internet, and left it open for all, without any form of password protection. The name of the state has not yet been revealed. The data in question is not trivial — over 12.5 million records, including pregnancy details, abortion and diagnosis reports, and even reports of ultrasonography, amniocentesis and genetic examination of the foetus. Accompanying the medical records were details such as name, age, residential address, family information and contact numbers of all the individuals involved.
While this itself is alarming enough, this database also contained emails, complaints and conversations regarding illegal prenatal gender determination. This happens to be an illegal act in India, and is severely punishable in the country. This is the nature of information that Bob Diachenko, a cyber security researcher, stumbled upon during a regular security check on a public search engine.
The consequences could have meant leakage of a tremendous amount of personal data, imprisonment of multiple parties involved owing to the breach of legal code, and cyber attacks to the nature of ransomware and blackmail of families who would not suspect that their data would be stolen from a government server. Recently, we spoke to Diachenko, who runs SecurityDiscovery.com, and works actively to secure data and servers that fail to protect sensitive personal data, thereby leaving thousands, or even millions, to vulnerability. Here are the excerpts of the conversation.
How and when did you come across the breached medical records database?
I have first identified non-protected (thus publicly available) MongoDB instance on March 7th during regular security audit of data coming from public Internet-of-Things search engines Shodan and BinaryEdge.
Can you give us an idea about the severity of this incident? How big an impact might it have?
Leaving such sensitive information such as patients records, doctors details, children details, admin passwords, and logins inside a password-less MongoDB server is akin to breaking doctor-patient confidentiality.
Have you previously come across other such security lapses, or breaches, pertaining to other Indian government databases?
Yes. India has always been a focus in my researches. A lot of my reports covered data breaches coming from Indian-based companies. Even if there is a non-government organization, in many cases it stores a lot of personally identifiable information, such as PAN number or Aadhaar numbers.
Many state-run setups are often running on old generation hardware and software, without significant security updates. How big a breach might this cause?
Yes, outdated software might cause troubles - but even more troubles come from not proper cyber hygiene like disabling passwords. I don't look for potential holes in the database - I find open doors which don't even require a password - also, I don't try any default passwords against a protected database.
To discover data breaches, leakages, and vulnerabilities on the Internet, I use public search engines only, such as Shodan, Censys etc. When I find a public database or any other instance like data that’s fully accessible to anyone without any restrictions, I collect several digital samples for further analysis. If these samples contain any kind of private and sensitive data, I employ a Responsible Disclosure model to privately communicate the findings with data owners, which is the company or organization that left the information publicly accessible, and help them implement specific security safeguards to protect their private data.
Is it possible that the information was breached and collected before being secured? If so, what might the severity of the implications be?
Danger of having exposed MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cyber-criminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.
From your experience, how easy is it for anyone with malicious intent to breach into the data servers of Indian government bodies, similar to the breach that you found?
If a server/database or device left exposed without any password or login, then there is no need to breach into it, you just access it just like you open a web page in a browser. I do not use any intrusive techniques and everything that I find is publicly accessible. That is why I always try to raise the awareness on those issues.
At the same time, there are many people out there who are looking for open/exposed servers but not for responsible disclosure. They delete the data or download it and then sell or use for malicious activity.