DUBAI: Confidential personal records of over 34 million residents in the Indian state of Kerala have been compromised in one of the biggest data breaches in the world.

The breach occurred last fortnight when an Indian man living in Tokyo hacked the Kerala government’s civil supplies department website and uploaded the sensitive information of all of Kerala’s 8,022,360 Public Distribution System (PDS) beneficiaries and their family members on Facebook.

The data reveals names, addresses, birth dates, gender, monthly incomes, electoral card details, consumer numbers of power and cooking gas connections. The massive leak has sparked fears that the information could fall into the wrong hands if it hasn’t already.

Dangerous consequences

A cyber security expert in Dubai fears the breach can have dangerous consequences. “The data could be used to duplicate SIM cards or reset net banking passwords. It’s very serious.” Tokyo-based IT consultant N.T.R. who hacked the website civilsupplieskerala.gov told XPRESS he took the extreme step to expose the security flaws in the site after attempts to draw attention towards them [weaknesses] fell on deaf ears. The website is designed, developed and hosted by India’s National Informatics Centre (NIC).

“I wrote to the NIC several times pointing to the vulnerabilities and even called the civil supplies office warning them about a possible breach, but they ignored me. I had no option but to make the information public in a Facebook post,” N.T.R., a native of Thiruvananthapuram, said from Tokyo.

He said breaking into the website was easy as the government had made a major gaffe by posting the entire list of PDS beneficiaries online.

Prepared as part of the Food Security Act 2013, the list was released just last month.

According to reports, the Kerala government put the list online so that residents could verify their personal data and apply for corrections before new ration cards are printed in 2017.

“It was foolish on their part to put all ration card numbers on the website. All I had to do was make a data set of these numbers and then fetch the corresponding data for each number. It was simple as the security methods on the website were primitive. It took me just one week to access and transfer around 100GB of data. I am appalled no one raised the red flag despite the fact that I used the same IP address to make over 30 million requests,” said N.T.R.

Significantly, most servers block multiple requests originating from the same IP address.