A Critical Vulnerability Exposes Private Data in Indian Government Systems
In a stark reminder of the importance of cybersecurity, an independent security researcher has uncovered 14 vulnerabilities affecting Indian government IT systems, putting millions of citizens’ personal data at risk. The discoveries, made by Sushant Bhardwaj, were promptly addressed by the government, but not before highlighting a worrying trend: lax access controls and poor identity management practices in critical public-facing portals.
The most concerning vulnerability was found in the national government portal managed by the Union Public Service Commission (UPSC), which handles recruitment for civil service workers. Bhardwaj discovered that the administrative interface managing authentication to the portal was left open to anyone on the Internet, essentially allowing a hacker to take control of the system and its sensitive data. This is particularly alarming given the number of applicants – over 1.3 million in 2023 alone – who have entrusted their personal information to UPSC.
The researcher also found other critical vulnerabilities, including missing browser-level security headers and cryptographic issues, which could have been exploited for automated credential attacks. Furthermore, Bhardwaj discovered that several portals managed by the Delhi government were vulnerable to information disclosure, exposing sensitive student enrollment data and employee records to anyone who knew where to look.
Experts say that such vulnerabilities are often not due to complex hacking techniques, but rather simple errors or omissions in access control practices. Trey Ford, chief strategy and trust officer at Bugcrowd, notes that “the most common public sector failure is a simple error like leaving a directory open.” This highlights the need for coordinated disclosure and proper ownership of access control across all public-facing assets.
The Indian government’s swift response to address these vulnerabilities is commendable. However, this incident serves as a stark reminder of the importance of robust cybersecurity practices in protecting citizens’ personal data. Organizations, especially those handling sensitive information, must prioritize identity management, authentication, and access controls to prevent such breaches from occurring in the first place.
For individuals, this means being vigilant about sharing personal data online and verifying that organizations handle their information securely. For governments and organizations, it highlights the need for regular security audits, robust incident response plans, and coordinated disclosure practices to ensure that vulnerabilities are identified and addressed before they can be exploited.
Source: Dark Reading — 2026-06-29