On June 22, 2020 the twitter handle of the High Commission of India, Pakistan tweeted out the URL to a document containing name, age, sex, passport number and mobile number of 748 Indian citizens who were to be repatriated.
A few hours later, the tweet was taken down. We sent another email to CERT-IN, asking them to take down the URL (the actual source of breach) which was still publicly available to anyone who knew how to look up Google’s webcache, and follow the link from there on.
We never heard back. Yesterday, we received mail delivery failure notices – both our emails had failed to reach CERT-IN. Today, I ran passive SMTP checks on cert-in.org.in – all of which failed.
All this while, the document lives on in the public domain.
The issue is CERT-IN/HCI, Pakistan treated the symptom, not the disease.
In most US states, a databreach involving 500+ records would be considered serious enough to warrant extensive communication, compliance, and investigation. In particular, if you are leaking Sensitive PII of minors. Passport number is one example of “standalone sensitive PII”.
We have two issues now:
- A leak that hasn’t been plugged
- A CERT that’s not reachable via email