Internal documents, officer health records, and personnel files belonging to India’s Central Industrial Security Force were spilling online because of a data security lapse.
A security researcher in India, who asked not to be named for fear of retaliation from the Indian government, found a database packed with network logs generated by a security appliance connected to CISF’s network. But the database was not secured with a password, allowing anyone on the internet to access the logs from their web browser.
The network logs contain detailed records of which files on CISF’s network were accessed or blocked because of security rules. Because the logs contained full web addresses of documents stored on CISF’s network, it was possible for anyone on the internet to access the logs, and then open those files in their browser directly from CISF’s network, also without needing a password.
The logs contained records for more than 246,000 full web addresses of PDF documents on CISF’s network, many of which relate to personnel files and health records, and contain personally identifiable information on CISF officers. Some of the files are dated as recently as 2022.
CISF is one of the largest police forces in the world with more than 160,000 personnel, tasked with protecting government facilities, infrastructure, and airport security across the country.
The researcher said the security appliance is built by Haltdos, an India-based security company that provides network security technology to organizations. The database was first found to be exposed on March 6, according to Shodan, a search engine for exposed devices and databases. TechCrunch confirmed that the database was configured with the name “haltdos.”
Haltdos CEO Anshul Saxena did not respond to multiple requests for comment. TechCrunch also emailed a CISF public affairs officer with several web addresses of publicly exposed files stored on its servers, but we did not receive a response. It’s not uncommon for organizations in India, including the Indian government, to quietly fix security issues when alerted by good-faith security researchers but then rebuff or deny the claims when they invariably become public knowledge.
The database is no longer accessible, though the security appliance itself appears to still be online.