Indian firms caught napping as private details of individuals were leaked
A new website, created by an anonymous user, has exposed the lack of data security practices in major companies around the world, including some Indian firms.
The website, which surfaced on the internet last week, seeks to collect all publicly available data from servers of Amazon Web Services’ storage buckets.
The website lists all publicly available data, which is sometimes harmless such as manuals for products or terms and conditions for web-based applications.
However, technology experts in India have found data containing personal information, which can potentially be a big privacy scare.
These “buckets” store information on lab test reports of lakhs of people from a Mysore-based health start-up, offer letters provided by food delivery aggregator Swiggy, online ticketing data by Justickets and bank account statements as well as income proofs submitted by people to a digital lender in Mumbai.
It was unearthed by Srikanth L, a software engineer, who found multiple data stores of Indian companies and promptly alerted them to fix the leak.
“A Mysore based / #HealthTech company/startup with Mysore clientele exposing Lab reports, prescriptions, a scan of signatures (Yes, doctors yours too!) 1000+ documents,” he wrote on Twitter.
Srikanth said while public storage buckets on Amazon serves an important use case of disseminating publicly accessible information to users in a fast and effective manner, companies should be careful about putting up personally identifiable information/confidential documents there and restrict access if they do choose to upload on third-party servers.
For instance, Swiggy has delegated its HR functions to a start-up Hirexp, which seems to have uploaded resumes, offer letters and recordings of interviews on Amazon servers.
While the company said there was no leak from its end, Business Standard reviewed these documents and recordings, which were made private by Tuesday evening.
“We take information security seriously, and have put robust guards in place to ensure we protect private information,” Swiggy said.
HireXP, on its part, said that Swiggy offer letters were dummy ones even as the ones reviewed showed clear break up of people’s salaries, joining dates, positions and other details of employment.
“Swiggy is not using HireXP panel to send offer letters and the letters available on the portal are dummy letters,” HireXP stated.
Mumbai-based digital lender Gromor Finance seemed to have exposed bank statements and details of its entire customer base.
The company fixed the exposure as soon as it was reported to it, but maintained it was only a test environment.
“We had a test environment with random information for testing purposes. At no point was any loan information used or exposed in the test environment.
"As a matter of abundant caution, this test environment was terminated as soon as it came to our attention,” said Santosh Shetty, co-founder, Gromor Finance.
It was also discovered that some of these buckets were “writable”, implicating that the data could be modified by those accessing them.
One such bucket had 500,000 resumes, even as the owner of the database couldn’t be identified.
It is difficult to ascertain exactly how many individuals might have been affected by these leaks, Srikanth said.
While the RBI has been focusing on data localisation, there are few enforcement capabilities that limit flow of information, improve data security and privacy in India.
“Although most companies identified in the leaks were hosting in India, leaked bank statements were available globally.
"Health records of people were available freely. We need a data protection law with stringent penalties such as GDPR, so companies treat user data with respect, sensitise their employees about the importance of personal data,” Srikanth said.
Amazon Web Services refused to comment but an insider said the issue of leaky buckets is not from their end but comes through developers who often use default public sharing settings for private information.
“Amazon S3 is secure by default. If customers use the default configuration, the bucket locks down access to just the account owner and root administrator.
"Well over a million customers continue to use Amazon S3 safely and securely.
"A core tenet of Amazon Web Services since the very start has been to allow builders the flexibility to change our default configurations to suit whatever style of app they’re constructing,” said the source.
Photograph: Kacper Pempel/Reuters