Owner security

Security breach exposed personnel records and medical records of CISF in India – TechCrunch

Internal documents, medical records of officers and personal files belonging to India’s Central Industrial Security Force were leaking online due to a data security breach.

A security researcher in India, who asked not to be named for fear of reprisals from the Indian government, found a database full of network logs generated by a security appliance connected to CISF’s network. But the database was not password-secured, allowing anyone on the Internet to access the logs from their web browser.

Network logs contain detailed records of files on CISF’s network that have been accessed or blocked due to security policies. Because the logs contained the full web addresses of documents stored on CISF’s network, it was possible for anyone on the Internet to access the logs and then open those files in their browser directly from CISF’s network, too. without needing a password.

The logs contained records for more than 246,000 full web addresses of PDF documents on the CISF network, many of which relate to personnel records and health records, and contain personally identifiable information about CISF agents. Some of the files are dated as recently as 2022.

CISF is one of the largest police forces in the world with over 160,000 personnel, responsible for protecting government facilities, infrastructure and airport security across the country.

The researcher said the security appliance is built by Haltdos, an India-based security company that provides network security technology to organizations. The database was first discovered on March 6, according to Shodan, a search engine for exposed devices and databases. TechCrunch confirmed that the database was configured with the name “haltdos”.

Haltdos CEO Anshul Saxena did not respond to multiple requests for comment. TechCrunch also emailed a CISF public affairs officer with several web addresses of publicly exposed files stored on its servers, but we have not received a response. It is not uncommon for government organizations in India to quietly address security issues when alerted by bona fide security researchers, then dismiss or deny the allegations when they invariably become public knowledge.

The database is no longer accessible, although the security appliance itself still appears to be online.

Read more: