3.5M exposed in COVID-19 e-passport leak

Passports, mobile numbers, and email addresses of Indian travelers who requested COVID e-pass have been leaked, 3.5M individuals at risk of identity theft.

Last year, due to an increase in the number of people with COVID-19, Tamil Nadu, the southernmost state in India with a population of 79 million, made a COVID e-pass mandatory.

This meant that all inter-zone travelers needed to apply for it online and enter a great deal of their personally identifiable information (PII).

Unfortunately, at least 3.5 million people’s sensitive details were exposed to the public, a recent investigation by the Cybernews research team shows. While the data comes from the peak of the pandemic (2020-2021), exposed people are still at risk of identity theft and other malicious activities.

Cybernews discovered the unprotected data during a routine investigation. The culprit was an open S3 bucket that included over 3.5 million records. Our researchers assess that the data was being leaked by a third-party service provider. While we disclosed our findings to the relevant parties following our responsible disclosure procedure, at the time of writing, the dataset is secure.

The leaking data includes:

• Name
• Passport number and/or copy
• Gender
• Mobile number and email address

• Travel details and reasons for traveling (people had to specify due to travel restrictions during the pandemic)
• Vehicle numbers

We’ve contacted the Tamil Nadu government, as well as the third-party service providers that we suspect to be behind the leak, for an on-the-record comment but have yet to receive any kind of reply.

If you want to learn more about the risk for users due to this data leak, take a look at the original post at:

https://cybernews.com/security/indian-covid-passport-data-leak/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, COVID-19)