The Andhra Pradesh government has started taking steps to prevent the leak of citizen’s personal data from government websites; a new government incident reporting portal called Andhra Pradesh Computer Response Team (APCRT) is likely to go live in about a week, reported HuffPost India.
In June, several data breaches and vulnerabilities were discovered by security researcher Srinivas Kodali. It emerged that citizen data relating to medical purchases, ambulance calls, phone numbers, addresses and insurance status were easily accessible to anybody with an internet connection. The data was stored in vulnerable dashboards of the state government portals.
After multiple breaches were reported, the Andhra Pradesh government ordered an audit of all government websites (which is 1200 websites FYI) and said the state will set up a portal Andhra Pradesh Computer Response Team (APCRT) to report such vulnerabilities and breaches.
At the time, K Vijayanand, principal secretary, IT, AP government, said monthly audits will be conducted for all departments to find loopholes in data security and privacy. “We have asked the Andhra Pradesh State Cyber Security Operations Centre (APCSOC) to conduct an audit of all the departments’ websites to identify if any sensitive public data is available on them. Here on, we will audit all the portals for both cybersecurity vulnerabilities and privacy issues. The audits will be done on a monthly basis,” he had said. the government also announced the APCRT portal, which would also have a call centre with ten phone lines meant for use cyber emergencies.
This isn’t the first audit the AP government has conducted. APCSOC was inaugurated in April and began auditing in May. “We started doing security audits in May, and it has been a very time-consuming process,” said V Premchand, Managing Director of Andhra Pradesh Technology Services (APTSL) told HuffPost India. APTSL oversees cybersecurity issues in the AP government and is the authority running APCSOC. “The different departments have their own systems and a lot of the decisions on security have so far been taking place on an ad hoc basis, so one of the first tasks for us was to establish the SOP (standard operating procedure) to be followed. We are now going to do this for privacy along with security.”
Sources in the government showed what the APCRT would look like once live, with sections showing the latest security news updates, and advisories for the general public on how to secure their gadgets, aside from a page to report cybersecurity issues with different options for government agencies, organisations, and individuals to make their reports.
What data was leaked? Was it sensitive?
A lot and yes.
Throughout June, breaches containing troves of data identifying individuals were reported. Here’s a look at what data was vulnerable.
- An unsecured AP government portal exposed the names and numbers of all the people who had purchased medicines from the government-run generic medical stores — Anna Sanjivini Stores. The leak contained logs of Order ID, the Store Operator ID, Customer name, Customer phone number, details of the medicines, and the money paid, for each order. Details of people who had purchased Suhagra, a generic version of Viagra (a drug used to treat erectile dysfunction) were leaked as well.
- It emerged that a state government portal which tracked ambulances in real-time was vulnerable and could be accessed by anybody with an internet connection. The portal was monitoring the movement of these vehicles and had sensitive information about the patient — such as the pick-up point, why the ambulance was called, and the hospital to which the patient was taken. Such knowledge and data gathering also raised concerns over the kind of data collected by state governments.
- Details of up to 4.5 crore citizens — right from their phone numbers, insurance status, and home addresses — were exposed on a state government portal, accessible with only an Aadhaar number. All the data collected under Praja Sadhikhara Survey or Smart Pulse Survey, which is an extensive database of socio-economic and demographic data of citizens and seeded with Aadhaar, was open for access.
All these portals were taken down after the breaches were exposed and reported. While the above occurred in June, another was reported in April. Personal information of Eligible Couples, Pregnant Women and Children by the Nutrition and Health tracking system as well as the Reproductive and Child Health department were being leaked from AP government websites. The data was publicly accessed as area wise lists, including the Aadhaar and mobile numbers of the people being tracked. The data published on this site included Aadhaar numbers of women and it tracked their reproductive history from pregnancy to its conclusion – whether abortion, risk status, follow-ups or birth. It also tracked the infants early years and vaccinations.
Read all our coverage of Andhra Pradesh data leaks here.