© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

India’s foreign ministry leaks expat passport details

The Global Pravasi Rishta Portal, India’s government platform for connecting with its overseas population, leaked sensitive data, including names and passport details.

The Cybernews research team has been alerted that the Global Pravasi Rishta Portal was leaking sensitive user data. Unfortunately, the tip proved accurate.

The platform exposed user names, surnames, country of residence, and email addresses in plaintext, as well as occupation status, phone and passport numbers. The leak was possible because of poor security measures, such as a lack of authentication methods.

The Global Pravasi Rishta Portal is a platform with the goal of connecting 30 million Indian expats. The platform owner is the Ministry of External Affairs of India, the country’s government body responsible for implementing foreign policy.

The portal is meant as a tool for communication between the Ministry of External Affairs, Indian Missions, and the Indian diaspora. Pravasi Rishta means “expatriate relationships” in English.

The Cybernews team has reached out to the Ministry of External Affairs to inform it of the leak. We did not receive a reply, but several days later the security issue had been fixed.

India passport details leak
India’s government platform that leaked passport details. Image by Cybernews.

Identity theft

According to the Cybernews research team, exposure of passport numbers is not a very common occurrence and considerably escalates user risk.

In 2020, Marriott International disclosed a data breach leaking details of over five million hotel guests, including their passport numbers. In 2018, Air Canada’s mobile app was breached, with the passport numbers of 20,000 customers exposed.

The team claims that while not very likely, losing a passport number to threat actors can result in identity theft.

“Combined with other leaked data, passport details could be used for other types of fraud. Users of the platform should be keeping an eye on their credit file and history and making sure to use multi-factor authentication with strong passwords,” researchers said.

The data was exposed via the website’s edit function, where manipulating the URL allowed anyone to access the edit details of any user on the site. In other words, it takes only one registered user to access all of them, since changing the user ID in the URL leads to another user’s account.

If you have something to share with Cybernews, please don't hesitate to contact us. You can do that using this form.

More from Cybernews:

Weekly recap: from lawsuit against TikTok to viral Chat GPT

One year on: Log4Shell’s Armageddon that never was

Russia blocks 15k websites in one week

Metropolitan Opera hit by cyberattack

Crooks stole Daily Loud’s Twitter, posted scam messages

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked