Internal documents, officer health records and personnel files belonging to India’s Central Industrial Security Force have gone viral online because of data security flaws.
A security researcher in India, who asked to remain anonymous for fear of retaliation by the Indian government, found a database containing network logs generated by a security device connected to his network. CISF. But the database is not password-secured, allowing anyone on the internet to access the logs from their web browser.
The network log contains detailed records of files on the CISF network that have been accessed or blocked due to security rules. Since the logs contain the full web addresses of documents stored on the CISF network, anyone on the internet can access the logs and then open the files in their browser directly from the CISF’s network. CISF without password.
The log contains records of more than 246,000 web addresses full of PDF documents on the CISF network, many of which relate to personnel and health records, and contains personally identifiable information about employees. CISF suite. Some files date as recent as 2022.
CISF is one of the largest police forces in the world with more than 160,000 employees, tasked with protecting government facilities, infrastructure and airport security around the country.
The researcher said that this security device was made by Haltdos, an India-based security company that specializes in providing cybersecurity technology to organizations. The database was first found on March 6, according to Shodan, a search engine for exposed devices and databases. TechCrunch confirmed that the database was configured with the name “haltdos”.
Haltdos CEO Anshul Saxena did not respond to multiple requests for comment. TechCrunch also emailed a CISF public affairs official with several web addresses containing publicly exposed files hosted on their servers, but we did not receive a response. It is not uncommon for organizations in India, including the Indian government, to quietly fix security problems when alerted by well-intentioned security researchers but then dismiss or deny the claims. declared when they are always known to the general public.
The database is no longer accessible, although the security tool itself appears to be still online.