Facebook-backed Jio leaked trove of coronavirus app data because it didn’t have a password

A security lapse in Reliance Jio’s coronavirus symptom checker exposed the results of millions of folks who took the tests. As first reported by TechCrunch, while the data was largely anonymized in nature, bad actors could’ve taken advantage of it and published all the information.

Jio, India’s biggest mobile network provider, launched its coronavirus symptom checker in March with an aim to help people find relevant resources if needed.

[Read: After Facebook’s mega-investment, Indian carrier Reliance Jio raises $748M from Silver Lake]

Tushar Pania, a Jio spokesperson said the company has taken down the database:

We have taken immediate action. The logging server was for monitoring performance of our website, intended for the limited purpose of people doing a self-check to see if they have any COVID-19 symptoms.

On May 1, security researcher Anurag Sen found a core database related to the service that was accessible without any password. It contained logs and records from April 17 to when Jio took the database off the grid after TechCrunch informed the company.

Here's a simple way to check the symptoms.
Click on the link to begin your self-test: https://t.co/4tvmT8oGaw

Stay Safe. Stay Connected. Stay Productive. #COVID19 #CoronaHaaregaIndiaJeetega #JioTogether #JioSymptomChecker pic.twitter.com/U9C6BMzNF9

— Reliance Jio (@reliancejio) March 25, 2020

The 369 GB database contained information such as age, gender, test result, browser version, operating system, and in some instances precise location data. If a user had registered with the service, the database exposed your personal info as well.

It’s not clear at the moment if anyone else was able to access the database. While most of the data was anonymized, with location data and other info, cybercriminals might be able to identify an individual.

Protecting databases with passwords is one of the basic steps of security, and a company like Jio handling millions of records should be more careful about its systems.