The West Bengal state authorities, by its division of well being and household welfare, has seemingly left open a database that features over 1 lakh studies of Covid-19 exams executed within the state. While the quantity just isn’t significantly large if all the state is considered, many of the studies within the database are from the North Bengal districts of Darjeeling and Siliguri. The take a look at studies date again to early May, 2020 till as latest because the previous week, News18 can verify. Personal identifiers within the studies that may be learn by anybody in public area embody affected person identify, age, residence handle, handle of referring hospital (in some circumstances) and the precise date and time of testing.
The knowledge leak in query was discovered by impartial safety researcher, Sourajeet Majumder, who famous that the take a look at studies have been all listed in a web based database. Under this database, Majumder noticed that whereas the hyperlinks are initially encoded, the encoding commonplace utilized by the West Bengal authorities on this case is Base64. To be particular, solely the SRF ID or the specimen assortment ID, was encoded within the URLs. This could be simply decoded by utilizing a web based Base64 decoder, which in flip reveals the precise assortment ID of every affected person in plain textual content. This can then get replaced within the ID to entry a affected person’s report. Therefore, any particular person prepared to entry and misuse this knowledge can achieve this very simply, with none actual safeguard in between. News18 has independently confirmed this declare, and will entry over 1 lakh such studies – largely primarily based within the Siliguri and Darjeeling districts of North Bengal.
The info in query might not significantly include identifiable knowledge that may be bought on the darkish net for a excessive value, however nonetheless represents a big breach of privateness. Majumder reached out to CERT-In, the cyber safety emergency response staff, who acknowledged the breach to Majumder. Majumder claims that he had additionally reached out to the system coordinator who manages the West Bengal state well being division web site. However, on the time of writing the story, the involved particular person issued no response. News18 has independently verified Majumder’s claims.
However, regardless of CERT-In’s acknowledgement of this knowledge breach, the entire knowledge continues to be on-line, and subsequently accessible for anybody with intent to breach. Such knowledge leaks contribute considerably to id scams, cyber blackmail efforts and id thefts, and subsequently make for more and more critical incidents.