Vulnerabilities Expose Private Data in Indian Government Systems

India’s Government IT Systems Left Exposed to Cyber Threats, 14 Vulnerabilities Found

A recent discovery by an independent security researcher has left Indian government IT systems vulnerable to cyber threats, exposing sensitive citizen data. The vulnerabilities, identified in April by Sushant Bhardwaj, affect major national platforms used by millions of students and job aspirants. Thankfully, the government acted swiftly to patch all 14 issues within a few weeks.

The issue lies in the fact that some Indian government IT systems lack robust access controls, making it possible for anyone with malicious intent to gain unauthorized access to sensitive data. For instance, Bhardwaj found that two Delhi government directories didn’t enforce server-level access controls, allowing him to access private data without authentication. He also discovered predictable naming structures in the files within these directories, making it easy for him to find and exploit the vulnerabilities.

The researcher identified 14 vulnerabilities across various Indian government portals, including education and civil service platforms used by millions of citizens. Two of the issues were categorized as critical severity, while four were labeled high severity. The exposed data included personally identifying information (PII) such as birthdays, addresses, and bank account numbers. For example, in one case, Bhardwaj found that 4,399 individuals had their names, guardians’ names, schooling details, scholarship information, and complete bank account numbers exposed online.

The most alarming discovery was made in a national government portal from the Union Public Service Commission (UPSC), which is responsible for recruiting civil service workers. Bhardwaj identified a dozen vulnerabilities in UPSC’s portal, many of which resulted from poor identity and access management (IAM). The administrative interface managing authentication to the portal was left entirely open to anyone on the internet, making it trivial for hackers to gain complete control over the system.

Experts attribute these security lapses to the lack of accountability and ownership within large government organizations. “When many citizen-facing portals are built and operated through shared infrastructure, no single owner ends up accountable for whether each one enforces access control,” says Trey Ford, chief strategy and trust officer at Bugcrowd. This case highlights the importance of treating coordinated disclosure as defensive infrastructure to prevent such vulnerabilities from turning into serious threats.

The swift action taken by the Indian government in addressing these vulnerabilities is a welcome step towards securing their IT systems. However, this incident serves as a stark reminder of the ongoing need for robust security measures and accountability within government organizations handling sensitive citizen data.


Source: Dark Reading — 2026-06-29