Details of more than 9,000 people leaked on www.gov.mu

It looks likes the whistleblow on security & privacy concerns have been given a deaf ear by the Government officials. They fixed stuffs when I published my observations around MNIC but at the same time I pointed out a lot more needs to be done since there are other stuffs lurking around.

A few days ago I also highlighted security concerns surrounding .mu domains due to DNS vulnerabilities. This could be a major impact for government services running through www.gov.mu portal. Nevertheless, there doesn't seem to be any transparency of what is being done. Nothing has been announced on the security measures being adopted.

www-gov-mu

Today yet another episode gave me goosebumps. Someone, who wants to stay anonymous, tipped me that he came across a page that contained his name & phone number along with other details on the Government Portal. On my end when I analyzed the URL, through mere observation, it revealed a lot more than that.

The URL would lead to several documents revealing names, addresses, phone numbers etc. One particular URL has a list of more than 9,000 people's names, addresses, identity numbers, phone numbers and other details. All these are PUBLIC. No security mechanism. The pages are even indexed by search engines, thus risking the data to be accessible to a greater audience. On an even scary note, Google search leads to the URL with the appropriate keywords.

Do I call this a vulnerability? Nope! This is carelessness & blatant imprudence. On this note, I have sent an email to the Data Protection Office for them to trigger the necessary actions.

Two weeks ago I blew the whistle regarding privacy concerns. With a major privacy breach of this magnitude, I hope the Data Protection Office will accept my complaint and proceed accordingly.

Update 1

Complaint forms have been duly filled and submitted to the Data Protection Office.

Update 2

Upon request by the Data Protection Office, I submitted details along with supporting evidence. By late afternoon (2 June 2014), phone numbers, ID card numbers etc were removed from the file. However, other files with phone numbers still lurk on the website (/_^) ... I was expecting a major clean-up on their end. Sadly, authorities don't take privacy stuffs as a serious matter.

Update 3

Upon closer look, even the updated file contains remnants of phone numbers that can be easily identified with people. Is it really that hard to do the job?


Share this post