Redcliffe Labs, India’s Medical Diagnostic Company leaks 7 TB of customer data. Will it pay 250 crore fine?

Redcliffe Labs is one of the most comprehensive testing facilities in India. It provides more than 3,600 different diagnostic tests for illnesses and wellbeing. Users of the mobile application have the option of receiving medical diagnostic services in their homes, at medical facilities, or over the internet. These services include in-home full-body examinations, blood testing, diabetes testing, joint care, vitamin testing, as well as specialised testing services for cancer, genetics, HIV, pregnancy, and a wide variety of other conditions. In addition, Redcliffe Labs promotes that their service includes free sample collection as well as a consultation with a medical professional. According to the information provided on their website, they have 2.5 million clients. Jeremiah Fowler, a researcher in the field of cybersecurity, made the discovery and reported it to WebsitePlanet about a database that was not secured by a password and had over 12 million records. These records included medical diagnostic scans, test results, and other potentially sensitive medical information.

The database had an enormous quantity of medical test results, which included the names of patients, physicians, and other sensitive health information such as the location of where the testing sample was performed (at home or at a medical institution), amongst a broad variety of other information. There were a substantial amount of records overall, with a total count of 12,347,297 and a total size of 7 terabytes (TB). After additional research, it was discovered that the papers included a watermark indicating that they belonged to a corporation situated in India known as Redcliffe Labs. I did not waste any time in sending a responsible disclosure notification, and I was promptly rewarded with a response that acknowledged my finding and thanked me for my efforts. It is unknown how long the information was available to the public or whether any unauthorised persons viewed the supposed health records before public access was limited the same day. However, public access was restricted the same day. On the other hand, the database included a folder labelled “test results” that held more than six million PDF documents. This may point to either the fact that a much larger number of consumers were possibly impacted or the possibility that there were repeated tests from the same customers.

The Digital Personal Data Protection Act, 2023 (DPDP Act) is the name of a broad new privacy legislation that was passed into law in India in the month of August 2023. The Data Protection and Development Act (DPDP) is India’s first all-encompassing data protection legislation. It addresses a broad variety of data-related concerns and is applicable to any business that conducts operations inside India or whose clients are located in India.

Companies that have experienced a data breach are required under the DPDP Act to notify the relevant authorities as well as the people whose personal information was compromised within the first 72 hours after the breach has been identified and validated. In addition, the DPDP Act includes a provision that levies monetary fines on businesses that do not adhere to the newly implemented standards. The fines may vary anywhere from INR 10,000 (about equivalent to USD 120) to INR 250 crore (roughly equivalent to USD 30.2 million).

As of the time that this article was published, it is unknown if Redcliffe Labs has informed the appropriate authorities or the people who might possibly be impacted by the data disclosure that occurred earlier. There were a total of 12,347,297 entries in the database, which had a total size of seven terabytes Documents that were categorised as “Reports” had a total number of objects of 1,180,000 and a total size of 620.5 gigabytes. These, too, were test findings, and the report seemed to be in its most basic form; there was no header logo.

Intelligent Report Archiving: There are a total of 1,164,000 items, and their combined size is 1.5 terabytes. The findings of the exam were presented in these publications in an info-graphic format.

“Test results” folder contains the following: There are a total of 6,090,852 items, and their combined size is 2.2 terabytes.

A variety of other folders, each holding files that are not password protected: There are 3,912,445 items in all, and their combined size is 2.7 gigabytes. These folders included a total of.PDF files, papers used internally by the company, logging data, mobile application development files, and other types of files.

The database not only housed millions of medical records, but it also held the development files from their mobile application. Leaving application files open to the public presents the possibility of a serious danger falling into the wrong hands. The functionality of an application as well as the data that is sent from the user to the host server may be controlled by these files. This information or these files might possibly be used by malicious actors to carry out a variety of assaults, which could jeopardise the data of users, the operation of applications, or the security of the mobile device itself.

The alteration or change of the application’s source code files is one of the most significant potential threats. The files might be altered in such a way as to incorporate a malicious code execution, which would make it possible for hackers to undermine the app’s integrity and security, inject malware, or add additional features without authorization. As soon as the code has been altered, malicious actors have the opportunity to steal or get access to a patient’s confidential data, which may include the results of tests, scans, or other sensitive information. If hackers were to obtain access to a user’s health and medical testing information, this might lead to major abuses of the user’s privacy. In addition, accessible code or resource files might theoretically be used in reverse engineering, analysis, or decompilation of the application in order to get insight into how the programme operates. It’s possible that this may lead to the discovery of new vulnerabilities and weaknesses that can be used in the future for malicious purposes.