Internal documents, medical records of agents and personal data of the Central Industrial Security Service of India have been circulated on the Internet due to a lack of data security.
An Indian security researcher who requested anonymity from the Indian government for fear of retaliation discovered a database full of network logs generated by a security device connected to the CISF network. But the database was not password protected, so anyone on the Internet could access the logs from their web browser.
Network logs contain detailed records of which files were opened or blocked on the CISF network in accordance with security rules. Because the journals contained the full web addresses of documents stored on the CISF network, anyone on the Internet could access the journals and then open those files directly from the CISF network in their browser, even without a password.
The logs contain entries for over 246,000 full web addresses of PDF documents on the CISF network, many of which pertain to personnel and medical records and contain personal information about CISF officers. Some files are already 2022.
The CISF is one of the largest police forces in the world with over 160,000 members tasked with guarding government facilities, infrastructure and airport security throughout the country.
The researcher said the security tool was created by Haltdos, an Indian security company that provides organizations with network security technologies. According to Shodan, a search engine for unprotected devices and databases, the database was first discovered on March 6th. gaming-updates confirmed that the database is set to the name haltdos.
Haltdos CEO Anshul Saxena did not respond to multiple requests for comment. gaming-updates emailed the CISF PR official several web addresses of public files stored on their servers, but we have not received a response. It is not uncommon for organizations in India, including the Government of India, to quietly address security issues when alerted by goodwill security researchers, but always dismiss or reject claims when they become known.
The database is no longer available, although the security tool itself is still online.