The department of agriculture of the Jharkhand government is leaking personal and legal documents of individuals in the state. About 9,000 documents from the government portal have been leaked. The documents are assorted types of legal, personal and business documents many of them containing personally identifiable information of proprietors, licenses, lease agreements between the individuals and the state government, licenses to sell agricultural products and so on.

The vulnerability was first discovered by French security researcher Robert Baptiste, who goes by Elliot Alderson on Twitter.

To be clear, the data has not been hacked or stolen, but is openly available on a dashboard run by the Jharkhand state government.

The portal leaking personal and legal data; this image shows a small sample of the thousands of documents available for download.

Personal documents

Scanned copies of PAN card and Aadhaar cards of several individuals are available on the website. Various legal documents and affidavits containing licenses to sell and stock insecticides, fertilizers, seeds. Remember that a legal document contains granular detail of the concerned parties or entities. Documents accessed by MediaNama contain residential and/or office address of the proprietor along with full names, fathers’ names, signatures and in some cases even their photographs. The documents also have registration documents which also reveal personally identifiable information.

Scan of Aadhar Card of the same individual

Scan of PAN Card of an individual, available for download on a state government portal.


Appointment letters and Challans

There are even some appointment letters to private firms based in the state. For instance, in one appointment letter, the firm hiring the individual exposed the remuneration amount of the person.

License Agreement issued by the state

Below is one license document out of the hundreds MediaNama accessed. This is a typical license which the department of agriculture grants to private bodies allowing them to deal in agro-products such as seeds, fertilizers, insecticides and so on. The government contained name and full address of the applicant along with their signature and date of license issue and expiration .

A license to sell seeds, issued by the state government.

Another such document below even reflects the photograph of the proprietor who has applied for such a license.

A license to sell and stock insecticides, issued by the state government.


Personal data vulnerable

It is clear that the data of whoever exchanged paperwork of had some association with the agriculture department of the government of Jharkhand has their data on their website, available for download. It isn’t clear if the data was acquired with the consent of the individuals.

This is one among a spate of data leak by several government websites in the country. It has been extensively reported that the Andhra Pradesh government robustly leaves exhaustive and sensitive (medical data such as who takes erectile dysfunction pills, and ambulance tracking) citizen data vulnerable, available for download, leaving millions exposed online for anybody with an internet connection to access.

Last week, it was found that a portal is leaking data of 250,000 candidates who appeared for NEET 2018. The CBSE denied any such data breach saying it was “out of question” after Congress President Rahul Gandhi wrote to the concerned authorities about the media reports of the leak. Following up to the NEET leak, the portal leaking NEET data was just one among more than 50 such portals which was leaking personal and academic data of students across the country and had put them up for sale. More than 50 websites run by a single person were leaking expansive and exhaustive data containing personal information of students including name, phone number, email address, college name, academic qualification, year of passing or year student is currently in and so on. The students in question are from engineering colleges, medical schools, fashion institutes, business schools and even 12th graders. The domains are a treasure trove of personal data for advertisers who want to market their institutions and coaching classes to aspiring students.

The name of the individual and the website URLs have not been mentioned in the interest of protecting the privacy of students whose data is available on these websites. Any details which will be personally identifiable has been blacked out in the interest of the safety of the individuals.