The Rajasthan state government has recently successfully addressed security vulnerabilities on its Jan Aadhaar website. The portal, which is part of a state program offering a unique identifier for the residents of Rajasthan to access welfare schemes, was found to expose sensitive documents and personal information of millions of citizens.
How was the Security Breach Discovered?
CloudDefense.AI’s able security researcher Viktor Markopoulos discovered the bug that could’ve jeopardized critical information of unaware citizens. Markopoulos helped to bring attention to the exposure of Aadhaar cards, birth certificates, marriage certificates, electricity bills, and income statements that were stored in the website’s database. The flaws also leaked personal information that included date of birth, gender, and father’s name.
What is the Jan Aadhaar Website?
Launched in 2019, the Jan Aadhaar portal boasts over 78 million individual registrants and data of 20 million families. It aims to provide a unified identity for residents in Rajasthan and is different from the nationwide Aadhaar card issued by the UIDAI.
Bugs in the Website and Further Remediation
Markopoulos spearheaded the bug hunt that helped unearth a couple of them from the government website. One bug allowed unauthorized access to visitors using a registrant’s phone number, while another failed to verify one-time passwords properly. After being notified by TechCrunch, the Indian Computer Emergency Response Team, or CERT-In, intervened and remediated the security issues last week.
Prompt Action Taken by CERT-In
CloudDefense.AI sought assistance from TechCrunch in disclosing the vulnerabilities to authorities. The publication contacted the Jan Aadhaar authority to highlight the critical bug but received no response from the government body. They then proceeded to contact CERT-In, after which the agency confirmed the fix.
What Do We Learn from the Incident?
Data breaches have sadly become very common in the tech industry, often resulting from lapses in diligence by both companies and government organizations. This particular incident could have been prevented with thorough website security testing and other threat detection measures. Additionally, regular vulnerability scanning plays a major role in identifying and addressing potential issues before they escalate.
The administration of the Jan Aadhaar website falls under the jurisdiction of the Rajasthan government. It raises concerns that, despite having substantial resources at its disposal, the government has not ensured the implementation of basic cybersecurity measures for its infrastructure. At least after knowing that millions of people’s data could be compromised, the government should have had proper security measures in place.
Data protection laws are not as strong in Asia as they are in the EU or the US. Lack of strong compliance regulations, such as GDPR, CCPA, etc., in Asia results in companies or governmental organizations being less accountable for mess-ups on their end. Telling us how important industry regulations are for ensuring data protection, confidentiality, and privacy.
How can CloudDefense.AI Help?
CloudDefense.AI is known to be the go-to CNAPP to protect companies and organizations from having to face such humiliating scenarios. Through the implementation of AI and machine learning models, we are able to provide you with top-notch security solutions.
Hacker’s VIew™, a state-of-the-art feature by CloudDefense.AI that allows you to scan your system from a hacker’s perspective – Enables you to outsmart threat actors and outsecure your resources. Our security tools, such as SAST, DAST, SCA, IaC Scanning, API Scanning, CSPM, and CIEM, are known to help you scan for vulnerabilities, misconfigurations, and other bugs lying in your infrastructure to further remediate them in real time.
Achieve rapid detection of all threats to your system and understand their severity through our comprehensive all-in-one suite. Let us protect you from unauthorized access through our Zero Trust-dependent platform.
CloudDefense.AI has once again proven that it is committed to ensuring data security in the cyber world. If not for Viktor Markopoulos, thousands of sensitive information of Indian Citizens could’ve been compromised. With the prompt response of CERT-In and the assistance of TechCrunch, the Rajasthan government has finally remediated the bug, protecting all its citizens’ sensitive data.
We encourage government agencies to learn from incidents like these, enhancing their awareness of cybersecurity and the critical importance of implementing strong security measures for protecting sensitive data.
Abhishek Arora, a co-founder and Chief Operating Officer at CloudDefense.AI, is a serial entrepreneur and investor. With a background in Computer Science, Agile Software Development, and Agile Product Development, Abhishek has been a driving force behind CloudDefense.AI’s mission to rapidly identify and mitigate critical risks in Applications and Infrastructure as Code.