The Indian Ministry of External Affairs (MEA) has patched its expat relations portal that was leaking sensitive information, such as passport numbers. The Global Pravasi Rishta Portal is a portal used by the Indian government to communicate with its expatriate community.
Cybernews this month got an alert that the Global Pravasi Rishta Portal was leaking private user information.
A further enquiry revealed that PII including usernames, last names, country of residence, email addresses, professional status, phone numbers, and passport numbers were available in plaintext. Poor security procedures, such as a lack of authentication techniques, made the breach conceivable, determined Cybernews.
Researchers who checked the website for The Cyber Express confirmed that the vulnerability was patched. The Ministry of External Affairs refused to comment on detailed enquiries made by The Cyber Express.
Access to overseas Indians
The Global Pravasi Rishta Portal is part of the Indian government’s expat outreach programme, aiming at connecting 30 million non-resident Indians worldwide. The MEA, the arm of the Indian government in charge of carrying out foreign policy, is the platform’s owner.
“The portal has been created to enable the registration of Indian diaspora members i.e. NRIs and the OCIs, which is going to facilitate the Government of India to connect with the overseas Indian community through Indian Missions. This will also facilitate members of the Indian diaspora by connecting them to various new and existing government schemes benefiting them in various areas of interest,” said a Consular announcement about the portal.
The MEA classifies the diaspora as Non-Resident Indians (NRIs), Persons of Indian Origin (PIOs), and Overseas Indians. According to the MEA, there are more than 13 million NRIs, nearly 18 million PIOs and about 32 million Overseas Indians.
The presence of personal data of these many individuals makes any data breach in such a portal critical, Beagle Security Senior Cyber Security Engineer Manindar Mohan told The Cyber Express.
More citizen data out
The breach and the subsequent patch come hot on the heels of another instance approximately 5,000 identity documents of Indian citizens were put up for sale on limited-access Telegram channels. This includes Indian citizen identification number Adhaar, driver’s license and passport.
This information later was put on clear net, where anyone could access it for free using just Google search. Even though the number in this instance is limited, that does not mitigate the possible damage, said Mr Mohan. “Data breaches are challenging and inevitable and when it comes to sensitive personal information like passport, a leak can have a number of regrettable effects, including identity theft,” he said.
“Such sensitive information should be maintained under strict protection with no tolerance for error.”