Recently, India’s technology giant Jio, partly acquired by Facebook, has disclosed the confidential data of people, tested for COVID-19.
In March of this year, Jio released a service that allows users to identify COVID-19 symptoms with their phone or website.
“The service was launched in March, right before India’s nationwide lockdown was announced, and allowed users to self-screen themselves for the virus. However, an apparent Jio security lapse meant that one of the core databases, where the results were stored, was exposed to the internet without any password protection”, — writes TechRadar portal.
As it turned out, the tech giant did not care about the confidentiality of its customers.
According to TechCrunch, on May 1 security researcher Anurag Sen discovered an open-source Jio database containing millions of entries, starting since April 17th. TechCrunch immediately contacted the company and its specialists disconnected insecure server.
“We have taken immediate action. The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms”, — said Jio spokesperson Tushar Pania in a statement.
Although the server did contain a log of errors in the site and other system messages, it also received large amounts of user-generated data.
Each test was recorded in a database indicating who is being tested (the user or relative), his age and gender. The data also included the user’s agent – a small sample of information about the browser version and operating system. This information is necessary for the correct display of the site, but can also be used to track user activity on the Web.
The database also kept individual records of those who created a personal profile in the service, allowing to update symptoms over time. Each entry contained answers to questions that asks the service, including presence of symptoms and possible contacts with infected people. If the user allowed the service access to geolocation data, his exact location also fell into the database.
“The exposure could not come at a more critical time for the Indian telecoms giant. Last week Facebook invested $5.7 billion for a near-10% stake in Jio’s Platforms, valuing the Reliance subsidiary at about $66 billion”, — reports TechCrunch.
According to the publication, Jio representatives did not answer whether the company would report about a security error to those who used the symptom tracking system.
Apparently, an incident is a result of the exceptional negligence of company’s database administrators and/or information security specialists. But, as I already said, there is a constant increase in the activity of cybercriminals, exploiting the theme of COVID-19 in one way or another, and conspiracy theories are also multiplying. Keep your mind clean and your databases secure.