Contents:
A leak that exposed the private information of thousands of COVID-19 patients was discovered on Resileo’s servers this August. The India-based IT and consulting firm has clients like HCL Technologies, Verizon, and RCS Group.
The company offers application performance monitoring (APM) services and works with Indian Council for Medical Research (ICMR), helping them analyze data. ICMR was assisting and coordinating measures for containing the COVID-19 pandemic in India.
The Source of the Leak
VPNOverview’s security research team found an unsecured AWS S3 bucket that contained admin credentials. Using the credential, the researchers were able to access Resileo’s production database servers.
When our team connected to Resileo’s production databases, we found private information about COVID-19 patients. We also found data that strongly suggests police in South India had a system for tracking COVID-positive individuals through cell phone tower pings.
Data Contained by the Leak
Several sets of data were within reach, the largest one containing the private information of 9,924,433 individuals.
All the sets of data combined provided private details like:
- Patients’ symptoms as cough, fever, and diarrhea.
- The age and gender of some patients.
- Mobile phone numbers and IMEI numbers.
- Patients’ location, date of isolation, and COVID testing history.
IMEI numbers, which are unique to each gadget, can be used to track a phone as it communicates with different mobile towers.
Indian Police Was Tracking Patients’ Mobile Devices
The leak also showed that police authorities in southern India were tracking COVID-19 cases using cell phones. Mobile devices were monitored based on the towers they communicated to, and the logins were stored in a database.
Police in southern India would have had access to an individual’s COVID status, their mobile, and IMEI number, the cell phone towers their device connected to, and precise geolocation data indicating the distance of their device from the tower.
The police appear to have used this data to track the movements of COVID positive people, but it is unclear whether they were able to track people in real-time.
Consequences of Resileo Data Leak
The exposed information seems to date from the spring of 2020, when India was battling the Delta variant. Resileo has closed the breach meantime, securing the data.
The incident raised a number of concerns like third-party data sharing, as the people affected by the breach gave their information to the ICMR, not Resileo, and if the data should have been collected or not in the first place. Information like mobile numbers should have been anonymized.
The data leak leaves victims vulnerable to cybercrimes. Threat actors can use medical data in social engineering scams, for example.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
