An independent security researcher identified 14 vulnerabilities affecting Indian government IT systems, which put an array of citizen data at risk.
Two of the issues qualified as critical severity, and four as high severity. They affected major national platforms, including education and civil service portals used by millions of students and job aspirants, exposing highly sensitive personally identifying information (PII) like birthdays, addresses, and bank account numbers.
Thankfully, the government of the world’s largest country listened to the young researcher and patched all of the vulnerabilities in two to three weeks’ time.
Vulnerabilities in Indian Government Systems
Somewhere shy of two million students are enrolled in schools overseen by the Directorate of Education in Delhi. That makes for a large blast radius, in the case of any information disclosure vulnerability.
In April, independent cybersecurity researcher Sushant Bhardwaj found that the access controls protecting two Delhi government directories weren’t enforced at the server level. It’s a common problem — users might be outwardly presented with an access denied message, but there’s nothing stopping them from simply skipping past it.
Bhardwaj got into the directories without authentication. As a bonus, the files within the directory followed predictable naming structures, so he was able to find a variety of interesting, private data simply by tinkering with the URL he visited. In all, student enrollment data — names, parents’ names, school details, etc. — as well as their exam results, were exposed along with employee records.
Bhardwaj found another information disclosure issue in a different Delhi government IT portal, this time affecting fewer people but exposing them to far greater risk. The portal in question managed scholarships, thus exposing a relatively higher percentage of lower-income individuals. Thanks again to missing authentication and predictable file structures, 4,399 people had their names, guardians’ names, schooling and scholarship information, and complete bank account numbers exposed to anyone on the Web.
Nothing was as serious, though, as what Bhardwaj found in a national government portal from the Union Public Service Commission (UPSC). UPSC is India’s primary body responsible for recruiting civil service workers, and in that capacity it manages a whole lot of people’s data. In 2023 alone, for example, 1.3 million people applied for positions through UPSC.
The researcher found a dozen vulnerabilities in UPSC’s portal, many resulting from poor identity and access management (IAM). The most troubling of all was that the administrative interface managing authentication to the portal was left totally open to anyone on the Internet. It would have been trivial for any hacker to come along, grant themselves whatever access they wished for, and fully take over the system and its data.
Bhardwaj found another critical vulnerability in the portal that made it vulnerable to automated credential attacks. There were also missing browser-level security headers, cryptographic and one-time password (OTP) issues, and application data disclosed in public documents, all of which could have factored into any number of possible attacks.
What Makes Governments Insecure
“The most common public sector failure isn’t a clever exploit, it’s a simple error like leaving a directory open,” says Trey Ford, chief strategy and trust officer at Bugcrowd. “This case shows a clear pattern: when many citizen-facing portals are built and operated through shared infrastructure, no single owner ends up accountable for whether each one enforces access control.”
In large, unwieldy government organizations running decades-old systems, “The job to be done is owning access control across the entire inventory of public-facing assets and treating coordinated disclosure as defensive infrastructure — the mechanism that turned three serious exposures into three fast fixes,” he says.
Bhardwaj seconds Ford’s point: “Most of the issues I’ve encountered were not the result of highly sophisticated attacks but rather configuration weaknesses, inconsistent access controls, or security oversights that can be addressed through stronger engineering and review processes,” he says.
He explains that in India, like in most countries, “security maturity is not yet consistent across all government departments. Many platforms continue to rely on legacy applications or infrastructure, and security practices can vary between organizations. Resource constraints, procurement timelines, and the shortage of experienced cybersecurity professionals can slow remediation efforts.”
At the same time, from his vantage point as an independent researcher, “India’s cybersecurity posture has improved noticeably over the past few years. More government organizations appear to recognize the value of responsible vulnerability disclosure, and I’ve seen agencies engage professionally with security researchers when issues are reported in good faith.”
Overall, Bhardwaj is optimistic about the country’s direction. “Continued collaboration between government agencies, industry, academia, and the security research community will be essential to building resilient and secure public digital infrastructure.”

No responses yet