A delayed COVID-19 test result of a Bengaluru resident accidentally led him to expose a massive data privacy loophole in the Karnataka government website (https://www.covidwar.karnataka.gov.in/service1), which is meant to check test results. After failing to get a response from the officials concerned, Shashi Kumar put out a series of tweets, where he explained how anybody can obtain sensitive data about patients undergoing COVID-19 tests in the state, with just Specimen Referral Form or SRF number, which is issued at the time of testing.
DATA SECURITY IN OUR COUNTRY IS A JOKE!
— shashi (@devzoy) November 10, 2020
Karnataka Govt is leaking private info of those who got tested for COVID.
In this thread, I will share my experience with the COVID test and how I learned about the way our Govt is exposing our personal data.
“While I had given my samples on October 24, I did not get my results via text message as promised by the volunteer. So, I decided to check online. When I keyed in my SRF ID, it said my result was still awaited. I thought the website was faulty; so I put the next digit in the serial SRF ID, and found the result of another person,” Shashi Kumar told TNM.
He said that with the existing system, anybody can obtain sensitive details such as name, age and gender, among other specifics of a patient who had undergone a COVID-19 test by using their respective ID. If a patient is positive for coronavirus, his patient number and district ID are also given.
The discrepancy here is the 13-digit SRF ID, which is a serial number. This means that these numbers are assigned sequentially or incrementally, and not system-generated or randomised. So, any individual, who was issued a number after taking the COVID-19 test or has access to another person’s SRF ID, can access the sensitive information about other patients, using the trial-and-error method. At the time of publishing this story, TNM could also view test results of multiple patients by using the next serial numbers of existing IDs.
Although the phone numbers of the individuals are not visible instantly, one can still access it through a simple, one-step process. However, the phone number detail has now been removed from the database after TNM brought the issue to the notice of the authorities.
“Why should this happen? How can such sensitive information like health data be made public? This level of incompetence is appalling. This could have been avoided with a one-time password-based authentication. The problem is that one can get information about another person by manually trying every possible digit one can think of. Somebody who can write a simple code can get data of all the patients as the API (application programming interface) is public.”
My SRF ID was 2952502847151 so I thought let’s try for the next person to see if the site is actually working properly. It worked, the next person’s id 2952502847152 showed the following result. pic.twitter.com/HjRvUZMwbG
— shashi (@devzoy) November 10, 2020
Shashi said that other than a breach of confidentiality, this can also lead to fraudsters misusing the data and targeting vulnerable people, especially senior citizens, in many ways, by claiming to be a government official.
Gagan Jain, the Chief Executive Officer of Cyber Safe Bangaluru and a cybersecurity expert, also agreed that there was a problem with how the data can be accessed. He said, "In India, currently we don't have a law specific to protecting individual's data. So, there is no legal concern, but certainly, this is an ethical issue,” he said.
"The issue can be solved by employing an authentication factor to it like an OTP or a password-based system. This would also prevent anybody from collecting data in bulk," he added.
When TNM reached out to senior IAS officer Munish Moudgil, who is heading the COVID-19 War Room in the state, he acknowledged the issue and said, “We are examining the matter. The tech team is at it. We will fix the issue, if any.”
Earlier in March, the Karnataka government was criticised for making addresses of those under home quarantine public.