Andhra Pradesh website is leaking detailed data of farmers

The Andhra Pradesh government has been leaking the personal data of more than 23,000 farmers who have received subsidies from the Andhra Pradesh Medicinal and Aromatic Plants Board, reported HuffPost India. The organisation encourages the growth of Ayurvedic medicines in the state; the subsidies are offered to farmers and tribals – and all their personal data is available on an open database on an Andhra Government portal.

The portal has been leaking farmers’ phone numbers, Aadhaar numbers, father’s names, passbook and bank account numbers, and the district and mandal where they live – all this information by entering their phone number in the database.

The information is available with a click and can be downloaded as an Excel Sheet. This leak appears to the most vulnerable among all the Andhra government leaks. To access any data from previous leaks, one had to search for the information on dense portals. In this case, detailed information is available with a simple search by entering a phone number.

Karan Saini, a security analyst and consultant told HuffPost that the various government departments are generally unresponsive when breaches like this are brought up. “Lack of outreach is an issue with all of these organisations,” said Saini. “NCIIPC is the only one that can even be found by someone looking at the surface. [These organisations] are hard to get a response from.”

One reason for this is that there is no official system of accountability in the government when it comes to data leaks, said Srinivas Kodali, a security researcher who reported the leaks in June.

Earlier in July, the Andhra Pradesh government announced a new government incident reporting portal called Andhra Pradesh Computer Response Team (APCRT) which it is will go live in about a week. After the multiple breaches were reported in June, the Andhra Pradesh government ordered an audit of all government websites (which for the record, is 1200 websites) and said the state will set up a portal Andhra Pradesh Computer Response Team (APCRT) to report such vulnerabilities and breaches.

Andhra’s many leaks

Throughout June, breaches containing troves of data identifying individuals were reported. Here’s a look at what data was vulnerable.

An unsecured AP government portal exposed the names and numbers of all the people who had purchased medicines from the government-run generic medical stores — Anna Sanjivini Stores. The leak contained logs of Order ID, the Store Operator ID, Customer name, Customer phone number, details of the medicines, and the money paid, for each order. Details of people who had purchased Suhagra, a generic version of Viagra (a drug used to treat erectile dysfunction) were leaked as well.
It emerged that a state government portal which tracked ambulances in real-time was vulnerable and could be accessed by anybody with an internet connection. The portal was monitoring the movement of these vehicles and had sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken. Such knowledge and data gathering also raised concerns over the kind of data collected by state governments.
Details of up to 4.5 crore citizens — right from their phone numbers, insurance status, and home addresses — were exposed on a state government portal, accessible with only an Aadhaar number. All the data collected under Praja Sadhikhara Survey or Smart Pulse Survey, which is an extensive database of socio-economic and demographic data of citizens and seeded with Aadhaar, was open for access.

Read all our coverage of Andhra Pradesh data leaks here.