National Logistics Portal (Marine) suffers breach, exposing crew's sensitive data
A recent data breach at India's National Logistics Portal (Marine), exposed sensitive personal information of crew members and trade records, due to misconfigured Amazon S3 buckets and a JavaScript file containing login credentials. Security researcher Bob Diachenko discovered the vulnerability using TruffleHog, an open-source security tool. The leaked data included crew members' names, passport numbers, and dates of birth, as well as trade documents like invoices and shipping orders.
Diachenko's discovery and reporting
Diachenko shared his findings on X, previously known as Twitter, on September 25, posting a screenshot of one of the exposed files with redacted sensitive information. The Indian Computer Emergency Response Team (CERT-In) and AWS's security team reached out to Diachenko to better understand the incident. The nodal agency acknowledged their communication and confirmed the fix on Friday.
Purpose of National Logistics Portal (Marine)
Launched in January by India's ports, shipping, and waterways ministry, the National Logistics Portal (Marine) aims to serve as a "single window" for all logistics trade processes. It covers transportation modes in waterways, roadways, and airways and includes an online marketplace for accessing end-to-end logistic services. The portal is managed by Portall, a subsidiary of Indian business conglomerate JM Baxi.
India's Digital Personal Data Protection Act was introduced recently
The data exposure incident occurred just over a month after India introduced its anticipated privacy law, the Digital Personal Data Protection Act, 2023. This law outlines guidelines for private companies' use of personal data but exempts the Indian government from legal obligations. The recent breach highlights the importance of stringent data protection measures for both private and public entities in India.
