Ethical hacking: Why India needs to protect digital whistleblowers
A bug discovered in a government health portal last year left data of nearly two million Indian patients unguarded. The recovery has highlighted the need to encourage ethical hacking in a country which is digitising its infrastructure rapidly, writes Nilesh Christopher.
One year ago, India’s state-run health portal – which allows users to book online appointments at government hospitals – left exposed a part of its website.
This meant that the personal details and health information of nearly two million users could have leaked.
Security researcher Avinash Jain discovered the vulnerability in the Online Registration System (ORS) in August 2018.
He was able to access details such as the patient’s full name, address, age, mobile number, history of appointments made via the portal, patient ID, partial Aadhaar number (a unique biometric identification number) and details of diseases ailing an individual.
“The bug would have allowed any attacker to access details of patients who had booked an appointment in any of the 237 registered [government] hospitals,” said Mr Jain.
At the time, he reported the vulnerability to the Indian Computer Emergency Response Team (CERT-In) and the flaw in the government portal was patched in October last year. CERT-In is an office within the ministry of electronics and information technology which deals with cyber security threats.
This correspondent has seen the email correspondence between the researcher and CERT-In from last year.
According to Mr Jain, the incident highlighted the need to encourage ethical hacking in India.
In 2015, the country launched the ORS health portal as an easy way for users to book online appointments and skip long queues at government hospitals.
source : bbc