An Elasticsearch server belonging to a healthcare software provider in India is currently exposing the Covid antigen test results of Indians and foreign nationals who traveled to or from India in the last couple of years.

It is worth noting that these tests were taken through a rapid antigen kit known as Covi-Catch. Covi-Catch is an Indian Council of Medical Research (ICMR) approved self-testing kit for COVID-19.

This was confirmed to Hackread.com by Anurag Sen, a prominent independent security researcher. What’s worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server is being exposed since July, 2nd, 2022.

It all started when Anurag scanned for misconfigured databases on Shodan and noted a server exposing more than 23GB worth of data to public access. Anurag said that the server belongs to a company based in Gurgaon, Haryana, India, but we would not share the name of the company in this article because the server is still exposed.

What data is being exposed?

Anurag’s analysis of the server revealed that the exposed records are actually Covid antigen test results, while the number of victims in the incident is over 1.7 million. These results not only comprise personal records but medical records of travelers including the following information:

  • Gender
  • Full names
  • Nationality
  • Date of birth
  • Full addresses
  • Phone numbers
  • Vote ID numbers
  • Covid test results
  • Aadhaar numbers
  • Passport numbers
  • Underlying medical conditions
  • Vaccine details (vaccine type, vaccine taken or not)

And much more…

The screenshot shows records of American, Canadian, and Indian citizens being exposed online (Image: Hackread.com via Anurag Sen)

No Response from the company

Anurag contacted the culprit company through the email address mentioned on their website. However, it has been over a week and there is no response from them. Amid this, the server is still exposed.

Although exposing sensitive data of unsuspecting users to cybercriminals is a blunder, not responding to researchers and not caring about the mess up is simply irresponsible.

Impact

It is yet unclear whether a third party accessed the database with malicious intent, such as ransomware gangs or threat actors. However, if it did, it would be devastating for the victim and the healthcare firm responsible for the server.

Furthermore, considering the extent and nature of the exposed data, the incident can have far-reaching implications, such as bad actors downloading the data, carrying out phishing scams, or identity theft-related fraud.

Hackers can hold the company’s server or data for ransom and leak it on cybercrime forums if their demands are not met. Nevertheless, the victims in this situation are travelers who trusted authorities with their personal information.

  1. MyEasyDocs Exposed 30GB of Israeli and Indian Students’ PII Data
  2. Chinese Adult Site Leaking 14 Million User Details – and It’s Increasing!
  3. Scoop: Australian Trading Giant ACY Securities Exposed 60GB of User Data
  4. Major Database Mess Up Leaves Indian Fed Police, Banking Records Exposed
  5. Hacker Selling Shanghai Police Database with Billions of Chinese Citizen Data

Posted by Charlie