What happens when a friendly-neighbourhood ethical hacker warns companies of their vulnerabilities in India?

A) The companies don’t care because they’re answerable to no one

B) The companies ask them to mind their own business and quietly patch their own servers

C) The companies consider getting the ethical hacker prosecuted (instead of rewarding them)

D) All of the above

The correct answer is D), best illustrated over the course of this story.

On 4 March, a French hacker who goes by the name Elliot Alderson on Twitter wrote a thread on how he gained access to BSNL’s intranet and got hold of details of over 47,000 employees.

On 27 February, Reddit user always_say_this showed the vulnerability of servers belonging to Truecaller Pay and Tata Sky.

Always_say_this stumbled upon 6,000 such potentially vulnerable servers from around the world. The servers he discovered did not have any authentication security layer—not even a simple username or password was required to access them.

Searchlight

Using Google Dorking to run a python script, and a few filters after that, was all it took to locate these vulnerable servers. Google Dorking is a way of advanced search which hackers use to discover confidential corporate and private information that is not readily available through a normal web search.

Data visible on the servers of Tata Sky and Truecaller Pay. It took both the companies almost a day to patch the server.

In 2017, 978 million people in 20 countries fell victim to cybercrime. They lost $172 billion in such attacks. The second most number of victims—186 million—were from India, who lost $18.5 billion, as per a Norton cybersecurity report. If company servers are completely open, customers’ personal data is free for the taking. And that could attract buyers who are constantly looking for readily available sensitive personal data. Also, with this data, it is easy for hackers or scammers to conduct extremely precise and fraudulent phishing attacks.

But unguarded servers are a threat to both users and the company. The kind of data visible on the company server—in this case, Truecaller’s and Tata Sky’s—could be sold to competition. This data, which contains contact details, can then be used to run marketing campaigns.

Before taking to Twitter and Reddit about these lapses, always_say_this first reached out to the companies and was met with indifference. “I received very few replies to the emails sent directly to companies, which is why I started pinging out CEOs of each company,” the hacker says. He’d hoped to get a reward or even a job. Instead, most companies politely acknowledged his work; some even asked him to mind his own business. Of the 30-odd CEOs he wrote to, he got 10 replies, but he noticed those who didn’t reply simply patched their servers.