Vulnerabilities Expose Private Data in Indian Government Systems

VULNERABILITIES & THREATS APPLICATION SECURITY ENDPOINT SECURITY CYBER RISK NEWS Vulnerabilities Expose Private Data in Indian Government Systems One critical vulnerability, among many discovered by a researcher, could have allowed anyone to walk in and take over a national government portal. Nate Nelson,Contributing Writer June 29, 2026 4 Min Read SOURCE: RITESH SHUKLA VIA GETTY IMAGES An independent security researcher identified 14 vulnerabilities affecting Indian government IT systems, which put an array of citizen data at risk. Two of the issues qualified as critical severity, and four as high severity. They affected major national platforms, including education and civil service portals used by millions of students and job aspirants, exposing highly sensitive personally identifying information (PII) like birthdays, addresses, and bank account numbers. Thankfully, the government of the world's largest country listened to the young researcher and patched all of the vulnerabilities in two to three weeks' time. Vulnerabilities in Indian Government Systems Somewhere shy of two million students are enrolled in schools overseen by the Directorate of Education in Delhi. That makes for a large blast radius, in the case of any information disclosure vulnerability. In April, independent cybersecurity researcher Sushant Bhardwaj found that the access controls protecting two Delhi government directories weren't enforced at the server level. It's a common problem — users might be outwardly presented with an access denied message, but there's nothing stopping them from simply skipping past it.  Related:Security Community Slams US Ban on Exporting Mythos, Fable Bhardwaj got into the directories without authentication. As a bonus, the files within the directory followed predictable naming structures, so he was able to find a variety of interesting, private data simply by tinkering with the URL he visited. In all, student enrollment data — names, parents' names, school details, etc. — as well as their exam results, were exposed along with employee records. Bhardwaj found another information disclosure issue in a different Delhi government IT portal, this time affecting fewer people but exposing them to far greater risk. The portal in question managed scholarships, thus exposing a relatively higher percentage of lower-income individuals. Thanks again to missing authentication and predictable file structures, 4,399 people had their names, guardians' names, schooling and scholarship information, and complete bank account numbers exposed to anyone on the Web. Nothing was as serious, though, as what Bhardwaj found in a national government portal from the Union Public Service Commission (UPSC). UPSC is India's primary body responsible for recruiting civil service workers, and in that capacity it manages a whole lot of people's data. In 2023 alone, for example, 1.3 million people applied for positions through UPSC. The researcher found a dozen vulnerabilities in UPSC's portal, many resulting from poor identity and access management (IAM). The most troubling of all was that the administrative interface managing authentication to the portal was left totally open to anyone on the Internet. It would have been trivial for any hacker to come along, grant themselves whatever access they wished for, and fully take over the system and its data. Related:HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk Bhardwaj found another critical vulnerability in the portal that made it vulnerable to automated credential attacks. There were also missing browser-level security headers, cryptographic and one-time password (OTP) issues, and application data disclosed in public documents, all of which could have factored into any number of possible attacks. What Makes Governments Insecure "The most common public sector failure isn't a clever exploit, it's a simple error like leaving a directory open," says Trey Ford, chief strategy and trust officer at Bugcrowd. "This case shows a clear pattern: when many citizen-facing portals are built and operated through shared infrastructure, no single owner ends up accountable for whether each one enforces access control." In large, unwieldy government organizations running decades-old systems, "The job to be done is owning access control across the entire inventory of public-facing assets and treating coordinated disclosure as defensive infrastructure — the mechanism that turned three serious exposures into three fast fixes," he says. Related:ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed Bhardwaj seconds Ford's point: "Most of the issues I've encountered were not the result of highly sophisticated attacks but rather configuration weaknesses, inconsistent access controls, or security oversights that can be addressed through stronger engineering and review processes," he says. He explains that in India, like in most countries, "security maturity is not yet consistent across all government departments. Many platforms continue to rely on legacy applications or infrastructure, and security practices can vary between organizations. Resource constraints, procurement timelines, and the shortage of experienced cybersecurity professionals can slow remediation efforts." At the same time, from his vantage point as an independent researcher, "India's cybersecurity posture has improved noticeably over the past few years. More government organizations appear to recognize the value of responsible vulnerability disclosure, and I've seen agencies engage professionally with security researchers when issues are reported in good faith." Overall, Bhardwaj is optimistic about the country's direction. "Continued collaboration between government agencies, industry, academia, and the security research community will be essential to building resilient and secure public digital infrastructure." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports The State of Cloud Security: The Latest Challenges The total economic impact™ of Snyk How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Access More Research Webinars Practical Zero Trust Implementation on a Budget in the Age of Mythos Building a Risk Based Vulnerability Management Program Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS Do CISOs Need a Code of Ethics? byDark Reading Editorial Team JUN 24, 2026 CYBERSECURITY OPERATIONS 2026 FIFA World Cup Faces Surge in Cyber Threats byAlexander Culafi JUN 24, 2026 3 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS