Covid test results of 1.7m people exposed online

An Elasticsearch server belonging to a healthcare software provider in India is currently exposing the Covid antigen test results of Indians and foreign nationals who traveled to or from India in the last couple of years.

It is worth noting that these tests were taken through a rapid antigen kit known as Covi-Catch. Covi-Catch is an Indian Council of Medical Research (ICMR) approved self-testing kit for COVID-19.

What’s worse, the server is still exposed and publicly accessible without any security authentication or password. Originally, the server is being exposed since July 2, 2022.

It all started when Anurag scanned for misconfigured databases on Shodan and noted a server exposing more than 23GB worth of data to public access. Anurag said that the server belongs to a company based in Gurgaon, Haryana, India, but we would not share the name of the company in this article because the server is still exposed.

Anurag’s analysis of the server revealed that the exposed records are actually Covid antigen test results, while the number of victims in the incident is over 1.7 million. These results not only comprise personal records but medical records of travelers including the following information:

Gender
Full names
Nationality
Date of birth
Full addresses
Phone numbers
Vote ID numbers
Covid test results
Aadhaar numbers
Passport numbers
Underlying medical conditions
Vaccine details (vaccine type, vaccine taken or not).

Recently, Anonymous hacker collective have claimed to be behind attacks on several websites affiliated with the Iranian government amid protests following the death of 22-year-old Mahsa Amini.