After a series of data breaches by the Andhra government were discovered, the state government has finally moved a muscle; Chief Minister N Chandrababu Naidu has announced an audit of all government websites (which is the second such audit since May) and said the state will set up a portal to report such vulnerabilities and breaches. The developments were first reported by The New Indian Express.
“We have asked the Andhra Pradesh State Cyber Security Operations Centre (APCSOC) to conduct an audit of all the departments’ websites to identify if any sensitive public data is available on them. Here on, we will audit all the portals for both cybersecurity vulnerabilities and privacy issues. The audits will be done on a monthly basis.” K Vijayanand, principal secretary, IT, AP government told the New Indian Express. For the record, AP government has 1200 websites belonging to various government departments. The TNIE reported that government officials are wary of such an audit which gives access of data to APCSOC. Some departments even made the body sign non-disclosure agreements when the first such audit was carried out in May after a breach in April 2018.
The AP government also announced that it will design a “special portal” called Andhra Pradesh Computer Response Team (APCRT) to immediately respond to cyber-security threats and data breaches. “Anybody who spots discrepancies can reach out to us using APCRT.” said V Premchand, the MD of Andhra Pradesh Technology Services Ltd (APTSL). He further added that the APCRT would also have a call centre with ten phone lines, which could be contacted during cyber emergencies. APTSL is the nodal agency for e-governance initiatives in the state and also the organisation looking after the APCSOC.
The multiple breaches in Andhra Pradesh
The past week, Srinivas Kodali revealed several breaches of medical and socioeconomic data. Andhra government portals have unsecured websites that with, little or no trouble, made accessible phone numbers, addresses and medicines purchased from customers of state-owned generic medicine stores – Anna Sanjivini stores. It let anybody monitor the route of an ambulance, the reason the ambulance was called, which hospital it went to and the pick-up point. And finally, there was a breach of the Smart Pulse Survey data. Anybody could access the demographic details, insurance status and phone numbers of 4.5 crore people with just an Aadhaar number. The portal website was taken down after the breach was reported. Note that, Andhra Pradesh government has created “People’s Hub” which uses a resident’s Aadhaar number to consolidate 29 different department databases to create a “single source of truth” on the resident.
This is not all. The first such leak was reported two months ago in April 2018. The breach gave access to citizen data including the Aadhaar number, bank – branch, IFSC code and account number, father’s name, address, gram panchayat, mobile number, ration card number, right down to occupation, religion and even caste information.
“It has been two months since the state officials made tall claims that those who helped them in plugging the vulnerabilities would be rewarded. But there is no way to report the issues. Even the highly-publicised Andhra Pradesh Cyber Security Operations Centre (APCSOC) does not have a website of its own,” Kodali told TOI.
Read all stories about Andhra Pradesh data breaches here.