India’s largest telco Reliance Jio Infocomm Limited recently exposed one of its unprotected database online that was being used in its COVID-19 symptom checker tool.
The COVID-19 symptom checker tool was introduced by Jio on 25th March, just before the Indian government imposed a nationwide lockdown to contaminate the virus spread.
The tool allows anyone to signup and check their symptoms from their phone or Jio’s website to see if they may have become infected with COVID-19.
The exposed database contained millions of user-generated self-test data including their geo-location, age, gender, and even the questions they answered using this COVID-19 Symptom Checker tool by Jio.
It also contained information such as the user’s browser version and the operating system that is often used by companies to load the website properly but it can also be used to track a user’s online activity.
Security researcher Anurag Sen found this exposed database on May 1 and reported it to TechCrunch that later notified Jio.
“From one sample of data we obtained, we found thousands of users’ precise geolocation from across India. TechCrunch was able to identify people’s homes using the latitude and longitude records found in the database,” said Techcrunch. “Most of the location data is clustered around major cities, like Mumbai and Pune. TechCrunch also found users in the United Kingdom and North America”.
Jio’s spokesperson told Techcrunch that they have taken immediate actions and took the exposed database offline.
“The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms,” said Tushar Pania, AVP at Reliance Industries Limited.