Passports, mobile numbers, and email addresses of Indian travelers who requested COVID e-pass have been leaked, 3.5M individuals at risk of identity theft.
Last year, due to an increase in the number of people with COVID-19, Tamil Nadu, the southernmost state in India with a population of 79 million, made a COVID e-pass mandatory.
This meant that all inter-zone travelers needed to apply for it online and enter a great deal of their personally identifiable information (PII).
Unfortunately, at least 3.5 million people’s sensitive details were exposed to the public, a recent investigation by the Cybernews research team shows. While the data comes from the peak of the pandemic (2020-2021), exposed people are still at risk of identity theft and other malicious activities.
Cybernews discovered the unprotected data during a routine investigation. The culprit was an open S3 bucket that included over 3.5 million records. Our researchers assess that the data was being leaked by a third-party service provider. While we disclosed our findings to the relevant parties following our responsible disclosure procedure, at the time of writing, the dataset is secure.
The leaking data includes:
- Name
- Passport number and/or copy
- Gender
- Mobile number and email address
- Travel details and reasons for traveling (people had to specify due to travel restrictions during the pandemic)
- Vehicle numbers
We’ve contacted the Tamil Nadu government, as well as the third-party service providers that we suspect to be behind the leak, for an on-the-record comment but have yet to receive any kind of reply.
If you want to learn more about the risk for users due to this data leak, take a look at the original post at:
https://cybernews.com/security/indian-covid-passport-data-leak/
About the author: Jurgita Lapienytė, Chief Editor at CyberNews
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, COVID-19)