India’s Ministry of Housing and Urban Affairs left an open AWS bucket revealing nearly two million IDs, bank statements, and other files with sensitive citizens’ data.
While users often worry about private companies taking shortcuts regarding data, governments can be just as negligent. For example, the Cybernews research team recently discovered an exposed AWS S3 bucket containing over 1.9 million records.
The exposed instance, as it turns out, belongs to India’s Ministry of Housing and Urban Affairs (MoHUA). Worryingly, multiple attempts to contact authorities bore no fruit, as the bucket remains open nearly four months after initial disclosure.
We have reached out to MoHUA for comment and will update the article once we receive a reply.
What data MoHUA was leaked?
The vast majority of the nearly two million exposed records are sensitive documents, like national IDs, proofs of address, and bank statements. Moreover, the exposed instance contained official forms from the Urban Statistics for HR and Assessments (USHA) and ration cards.
Different documents expose different types of data, but in general, the leak exposed:
- Full names
- Dates of birth
- Places of birth
- Aadhar numbers (India‘s unique ID number)
- Phone numbers
- Family member details
“Leaking critical personal documents, including National IDs, proof of address, and bank statements, exposed individuals to identity theft. For example, attackers can impersonate individuals to open fraudulent bank accounts, apply for loans, or engage in illegal activities using stolen identities,” the team explained.
The exposed MoHUA instance contains more than enough details for attackers to carry out different types of phishing scams and social engineering attacks. For one, cybercrooks could pose as government entities to deceive victims into providing sensitive data.
“Leaking critical personal documents, including National IDs, proof of address, and bank statements, exposed individuals to identity theft. For example, attackers can impersonate individuals to open fraudulent bank accounts, apply for loans, or engage in illegal activities using stolen identities.”
Malicious actors may also employ SMS phishing. With sensitive personal details, attackers can distribute legitimate-looking messages, tricking unsuspecting victims into clicking malicious links and downloading malware.
“With detailed personal information at hand, attackers can tailor highly specific phishing campaigns, making their communications appear more legitimate by referencing specific details like names, addresses, or family members' information,” researchers said.
Losing citizens data also increases the likelihood that they’ll be targeted by scammers. Criminals often utilize leaked details to offer fake government services or promise assistance with an application in exchange for payments.
To prevent further data leaks, the team urges to:
- Change the access controls to restrict public access and secure the bucket
- Update permissions to ensure that only authorized users or services have the necessary access
- Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors
- Enable server-side encryption to protect data at rest
- Use AWS Key Management Service (KMS) to manage encryption keys securely
- Implement SSL/TLS for data in transit to ensure secure communication.
- Consider implementing security best practices, including regular audits, automated security checks, and employee training.
- Leak discovered: October 23rd, 2024
- Initial disclosure: October 25th, 2024
- CERT contacted: January 2nd, 2025
Your email address will not be published. Required fields are markedmarked