A trove of personal data linked to over 12.5 million women was leaked online by the Indian government, after yet another MongoDB misconfiguration, according to researchers.
Bob Diachenko of Security Discovery, claimed to have made the find on March 7 during an audit of the BinaryEdge search engine stream.
The Indian IP he discovered contained a publicly exposed database featuring information collected by the government on young mothers.
It was done so under the 1994 Indian Pre-Conception and Pre-Natal Diagnostic Techniques (PCPNDT) Act: a law apparently created in part to try and prevent sex-selective abortions.
In India, the sex of a child is kept from the parents unless there is a legitimate medical reason to reveal it in tests.
The leaked database contained some of this highly sensitive information including mother’s name, age and address, genetic diseases, doctor’s details, and child sex and age. It also featured court information including complaints made about doctors and centers that have enabled illegal sex selective abortions.
“I immediately sent a notification to (CERT) The Indian Computer Emergency Response Team that is an office within the Ministry of Electronics and Information Technology,” said Diachenko.
“It is the agency to deal with cybersecurity threats and they have helped me in the past with proper disclosure of sensitive Indian data leaks. I also requested to pull down the database, however, it took them almost a month to remove the private content off the database.
The data, which goes back several years, remained accessible for almost a month after this initial discovery, despite Diachenko’s best efforts, he claimed.