Telangana BSNL employee database vulnerable to hacking: French researcher Robert Baptiste

HYDERABAD: French cyber-security researcher Robert Baptiste has found that over 40 GB of sensitive data belonging to State-owned telecom company BSNL, containing names, passwords and mobile numbers of its 47,000 employees, was vulnerable to hacking due to security flaws in websites under the BSNL domain.

A few of the websites were also under attack by malicious programme ransomware that terrorised cyber security establishments recently. However, BSNL has fixed the security flaws over the weekend after it was pointed out by French and Indian security researchers on Sunday on social media.

The website, intranet.bsnl.co.in, was vulnerable to SQL injection, a common hacking technique that Baptiste used to access the database.  The hack made vulnerable information such as names, position, password, mobile numbers of 47,000 BSNL employees, administration information and date of retirement of all BNSL employees and more.

Two of the BSNL websites were found to have been attacked by ransomware, but the exact time when these sites came under attack is not known.  The website has now been taken down. As many as eight other BSNL websites had open directories that allowed anyone to access the database. Most of these security loopholes have been fixed while some of the websites have been taken down.

“I found this issue a few days ago, but I’m not the first one to discover this issue. This issue had been discovered by an Indian, two years ago. He had sent emails to BSNL, even called senior officers, but nobody answered him. Once again, it shows the importance for big companies like BSNL to take into account this kind of alert,” said Baptiste, who assured that the issue had been fixed by BSNL IT team. Manish Garg, general manager of the IT department of BSNL, when contacted, said he was not authorised to talk about the issue.

Attempts to reach him since and a text message with questions was left unanswered. Sai Krishna Kothapalli is a final year computer science student at the Indian Institute of Technology-Guwahati hailing from Andhra Pradesh. He came across the BSNL security flaws while “bug bounty hunting”, where coders expose security flaws of websites and get paid for it.  

“I found this flaw in 2015, while I was doing bug bounties and came across the BSNL site which was vulnerable to basic SQL injection. The site had over 40 GB of their core internal data base. I was scared and did not know what to do,” said Kothapalli, then in the second year of his course . The youth reached out to BSNL officials via email, phone, even making an attempt in 2016 via social media. “I am a patriot and wanted to help our Indian government.  If not us Indian researchers who will fix these issues? But I was scared that I will be tried under the IT Act,” said Kothapalli. So what is at stake if the database is exposed?

“A hacker can sell the data on the dark web, as it has information of the names, pay scale, date of birth and retirement of officials that is useful to scammers. The scammers just need a name and date of birth to open a fake account, this database had all of it,” he added.

“There are a lot of bug bounty hunters in India. We are helping companies outside the country but the government is not making use of us. There are many hackers who want to help their country but end up using their skills only to fight with Pakistani hackers over website hacks,” he said.

BSNL not new to hacking controversies
July 2015
BSNL’s Telecommunications journal website was hacked by AnonOpsIndia
July 2017
 BSNL modems get affected by a malware attack, prompting users to change passwords nationwide
January 2018
Tools to hack BSNL GPRS/3G services surface online and are still available. The tools allow users to use BSNL mobile net without paying