Security pentester Breaks into Indian Government Website Easily

497

Security pentester Kapustkiy has managed to break into the Eastern Indian Regional Council server and access the data of no less than 17,000 students, in an attempt to show once again how vulnerable websites belonging to some authorities across the world actually are.

This breach comes just a few days after the same Kapustkiy infiltrated into an Italian government website, also exposing login credentials of thousands of accounts.

In this case, Kapustkiy turned to an SQL injection to get past security systems of the Eastern Indian Regional Council website and access a database of no less than 17,000 users. He decided to leak only 2,000 of them, as he wants to give security admins enough time to patch the vulnerability. The data includes membership numbers, names, passwords, and email addresses.

Just like it happened with the previous breach targeting the Italian government, Kapustkiy contacted the site administrators to tell them about the security flaw, but no answer was provided, probably because it all happened during the weekend. We expect a response to be offered on Monday.

In our conversation on the data breach, Kapustkiy emphasised that he should by no means be considered a hacker because what he does is mostly for exposing security vulnerabilities in his targets and then allow administrators to patch them.

“I’m a Security Pentester,” he said. “People think I’m a hacker, but this is not true. I only try to help most of the time,” he continued.

This isn’t his first breach into an Indian website, as he previously compromised websites belonging to the Indian Embassy in various countries, including Switzerland and Romania. The Indian government itself issued a thank you note following the breach, admitting that Kapustkiy helped them increase their security.

“Thank you for your advice,” Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology, told Kapustkiy.

We’ve also contacted the Eastern Indian Regional Council to ask for a comment on the data breach and will update the article when a response is offered.