In yet another in a series of data compromises, the Andhra Pradesh government has exposed expansive details of upto 4.5 crore citizens — right from their phone numbers, insurance status, and home addresses — on a state government portal, accessible with only an Aadhaar number, reported The Times of India. All the data collected under Praja Sadhikhara Survey or Smart Pulse Survey, which is a extensive database of socio-economic and demographic data of citizens and seeded with Aadhaar, is accessible with an individual’s Aadhaar number on a AP government portal.
The vulnerability was first discovered by security researcher Srinivas Kodali, who notified the Andhra Pradesh government of the breach. The AP government has since suspended the link.
“I have reported the security issue to the AP government. Just visiting the link and entering a number will give the information. The website has 4.5 crore peoples data, and all the details of the survey are here. The data is about smart pulse survey. The survey started in July 2016 and is ongoing. Earlier when a similar breach happened, officials brought down the site.” Kodali told The Times of India.
An earlier breach of the same database in April exposed the home addresses of citizens with geo-tagging, caste details down to the cluster/booth level using family details. This data was integrated with citizens’ voter IDs. The AP government has been updating the pulse survey data of residents of the state since 2016 with an e-KYC based verification system linked to Aadhaar.
Andhra Pradesh breaches
This latest data breach follows other compromises of private and sensitive data of Andhra Pradesh citizens. Both previous breaches were reported by Kodali.
— It was revealed earlier this week that the Andhra Pradesh government records names, contact numbers, details of items purchased, of anybody who bought medicines from government-owned Anna Sanjivini Stores. Read more here.
— In another breach discovered on Tuesday, it was found that on another portal run by the state government, anybody can track ambulance calls and patient details — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken. Since the website gives access to the purpose of ambulance visit, anybody can track the movements of pregnant women and victims of assault.