3.5M exposed in COVID-19 e-passport leak


Passports, mobile numbers, and email addresses of Indian travelers have been leaked, leaving 3.5 million individuals at risk of identity theft.

Last year, due to an increase in the number of people with COVID-19, Tamil Nadu, the southernmost state in India with a population of 79 million, made a COVID e-pass mandatory.

This meant that all inter-zone travelers needed to apply for it online and enter a great deal of their personally identifiable information (PII).

ADVERTISEMENT

Unfortunately, at least 3.5 million people’s sensitive details were exposed to the public, a recent investigation by the Cybernews research team shows. While the data comes from the peak of the pandemic (2020-2021), exposed people are still at risk of identity theft and other malicious activities.

Cybernews discovered the unprotected data during a routine investigation. The culprit was an open S3 bucket that included over 3.5 million records. Our researchers assess that the data was being leaked by a third-party service provider. While we disclosed our findings to the relevant parties following our responsible disclosure procedure, at the time of writing, the dataset is secure.

tamil nadu data leak proof

The leaking data includes:

  • Name
  • Passport number and/or copy
  • Gender
  • Mobile number and email address
ADVERTISEMENT
  • Travel details and reasons for traveling (people had to specify due to travel restrictions during the pandemic)
  • Vehicle numbers

Since the leaked data included a comprehensive set of personal data, it could be exploited by threat actors for a variety of attacks, including identity theft, phishing attacks, and financial fraud, among others.

The sheer scale of the exposure underscores the urgency for robust cybersecurity measures and highlights the potential risks associated with the mishandling of sensitive personal data in the context of government-issued passes,” Cybernews researchers said.

We’ve contacted the Tamil Nadu government, as well as the third-party service providers that we suspect to be behind the leak, for an on-the-record comment but have yet to receive any kind of reply.