Jio

India’s largest cell network Jio, a subsidiary of Reliance, launched its coronavirus self-test symptom checker in late March, just before the Indian government imposed a strict nationwide lockdown to prevent the further spread of the coronavirus.

A security lapse exposed one of the symptom checker’s core databases to the internet without a password.

The database contains millions of logs and records starting April 17 through to the time that the database was pulled offline.

Although the server contained a running log of website errors and other system messages, it also ingested vast numbers of user-generated self-test data.

Each self-test was logged in the database and included a record of who took the test — such as “self” or a relative, their age, and their gender.

The data also included the person’s user agent, a small snippet of information about the user’s browser version, and the operating system often used to load the website properly but can also be used to track a user’s online activity.

Some of the records also contained the user’s precise location, but only if the user allowed the symptom checker access to their browser or phone’s location data.

Most of the location data were clustered around major cities, such as Mumbai and Pune. TechCrunch also found users in the United Kingdom and North America.

Source: https://techcrunch.com/2020/05/02/jio-coronavirus-security-lapse/

"id": "JIO2219291222",
"linkid": "jio",
"type": "Data Leak",
"date": "05/2020",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"