Indian Ministry of External Affairs Platform Leaked Expats’ Passport Information
The Cybernews Research Team Reported that the Portal Exposed Phone Numbers, Passport Numbers and More.
Sensitive information, such as names and passport numbers, was exposed through the Global Pravasi Rishta Portal, India’s government platform for communicating with its overseas population. The Cybernews investigation team was informed that the Global Pravasi Rishta Portal was leaking users’ personal information. Unfortunately, the information proved to be correct.
The owner of the platform is the Ministry of External Affairs of India, the government agency responsible for implementing the country’s foreign policy. The Global Pravasi Rishta portal’s purpose is to facilitate communication among the Ministry of External Affairs, Indian Missions, and the Indian diaspora. In English, Pravasi Rishta means ‘expat relationships’.
The platform exposed user names, surnames, country of residence, and email addresses in plaintext, as well as occupation status, phone and passport numbers. The leak was possible because of poor security measures, such as a lack of authentication methods.
The Cybernews team has reached out to the Ministry of Foreign Affairs to inform them of the data leakage. They did not receive a response, but it seems that the security issue was resolved several days later.
What Caused the Data Leakage?
It seems that by manipulating the URL, anyone could access the edit information for any user on the website, which exposed the data. To put it another way, since changing the user ID in the URL results in accessing a different user’s account, it takes only one registered user to access all of them.
According to the Cybernews research team, user risk is significantly increased when passport numbers are exposed. The team notes that while it is not very likely, identity theft may occur if a passport number is disclosed to threat actors.
The researchers also explain that passport information may be used for other types of fraud when combined with other leaked data. Users of the platform should monitor their credit file and history, and use multi-factor authentication (MFA) with strong passwords.
If you want to learn more about governmental cybersecurity, you can read this piece that my colleague Alina wrote: Essential Cybersecurity Considerations for Governmental Organizations.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.