TECH
20/06/2018 9:24 AM IST | Updated 20/06/2018 9:29 AM IST

Caught Leaking Names And Numbers Of People Buying Viagra From Government Stores, AP Orders Security Audit

HuffPost Impact: Andhra Pradesh Moves To Plug Personal Data Leaks

Florian Gaertner via Getty Images

After a few days of nonstop reports from HuffPost, followed up by others, the Andhra Pradesh state government has finally decided to order an audit of all government websites. According to the New Indian Express, the trigger for the audit was the exposure of people who bought medicines from AP's Anna Sanjvini stores. HuffPost exclusively broke this story on Monday, about how the details of a man buying generic viagra were leaked by the state.

According to the report, Chief Minister N Chandrababu Naidu has directed the IT department to audit all the state portals. However, this activity was apparently already carried out in the first week of May, when 320 government websites were audited for vulnerabilities, after which HuffPost found instances of leaks still taking place.

"We have asked the Andhra Pradesh State Cyber Security Operations Centre (APCSOC) to conduct an audit of all the departments' websites to identify if any sensitive public data is available on them," Principal secretary of IT, K Vijayanand, told TNIE. "Here on, we will audit all the portals for both cyber security vulnerabilities and privacy issues. The audits will be done on a monthly basis."

However, there are a lot of challenges ahead. A report in Times of India, also published last night, revealed yet another data breach from Andhra Pradesh. In this breach, if you have access to a person's Aadhaar number (something that's been leaked in the past, and which can be found thanks to the number of places it's being seeded) then you can see data the government collected for its Praja Sadhikhara Survey (Smart Pulse Survey).

Security researcher Srinivas Kodali reported this to the government on Tuesday, and the site has since been disabled as well. "I have reported the security issue to the AP government. Just visiting the link and entering a number will give the information," Kodali told TOI. "The website has 4.5 crore peoples data, and all the details of the survey are here. The data is about smart pulse survey. The survey started in July 2016 and is ongoing. Earlier when similar breach happened, officials brought down the site."

Previously, AP government websites have been leaking all kinds of data, which is available through something called the People's Hub - a vast database that brings together data from different sources into simple and searchable dashboards.

We have reported exclusively on many of these data leaks which pushed the government into finally taking some steps to improve security. This includes a dashboard to track people in ambulances, with details about their conditions, so strangers can follow the progress of pregnant women with ease; another to let you search for and precisely geo-locate people on the basis of their caste and religion; and of course, the one that kicked off this latest round of introspection, a website that broadcasted the names and phone numbers of people buying medicines - like generic viagra and HIV medicines - from the state's Anna Sanjivini stores.

Sources told TNIE that private data was being uploaded due to lack of awareness, and that their efforts to prevent the same were being stone-walled by government officials who are afraid of being exposed and sharing data with other departments.

"Educating the governmental staff on the motivations of security policies, the importance of working safely and how to contribute to the security of their organizations can help mitigate the risk of security incidents and safeguard what is truly important - their data," a representative of security firm Kaspersky Labs told HuffPost.

More On This Topic