The West Bengal state government, through its department of health and family welfare, has seemingly left open a database that includes over 1 lakh reports of Covid-19 tests done in the state. While the number is not particularly massive if the entire state is taken into consideration, most of the reports in the database are from the North Bengal districts of Darjeeling and Siliguri. The test reports date back to early May, 2020 until as recent as the past week, News18 can confirm. Personal identifiers in the reports that can be read by anyone in public domain include patient name, age, residence address, address of referring hospital (in some cases) and the exact date and time of testing.
The data leak in question was found by independent security researcher, Sourajeet Majumder, who noted that the test reports were all listed in an online database. Under this database, Majumder observed that while the links are originally encoded, the encoding standard used by the West Bengal government in this case is Base64. To be specific, only the SRF ID or the specimen collection ID, was encoded in the URLs. This can be easily decoded by using an online Base64 decoder, which in turn reveals the exact collection ID of each patient in plain text. This can then be replaced in the ID to access a patient’s report. Therefore, any person willing to access and misuse this data can do so very easily, without any real safeguard in between. News18 has independently confirmed this claim, and could access over 1 lakh such reports – mostly based in the Siliguri and Darjeeling districts of North Bengal.
The information in question may not particularly come with identifiable data that can be sold on the dark web for a high price, but still represents a significant breach of privacy. Majumder reached out to CERT-In, the cyber security emergency response team, who acknowledged the breach to Majumder. Majumder claims that he had also reached out to the system coordinator who manages the West Bengal state health department website. However, at the time of writing the story, the concerned person issued no response. News18 has independently verified Majumder’s claims.
However, despite CERT-In’s acknowledgement of this data breach, all of the data is still online, and therefore available for anyone with intent to breach. Such data leaks contribute significantly to identity scams, cyber blackmail efforts and identity thefts, and therefore make for increasingly serious incidents.