Jio, backed by Facebook, leaked coronavirus app data because he didn’t have a password

A safety lapse in the Reliance Jio coronavirus symptom checker exposed the results of millions of people who took the tests. As first reported by TechCrunch, although the data was largely anonymous in nature, the bad actors could have tapped and released all the information.

Jio, India’s largest mobile network provider, launched its coronavirus symptom checker in March with the aim of helping people find relevant resources if necessary.

[Read: After Facebook’s mega-investment, Indian carrier Reliance Jio raises $748M from Silver Lake]

Tushar Pania, a Jio spokesman said the company has removed the database:

We have taken immediate action. The registration server was for monitoring the performance of our website, intended for the limited purpose of people doing a self-test to see if they have any COVID-19 symptoms.

On May 1, security researcher Anurag Sen found a central database related to the service that was accessible without a password. It contained logs and logs from April 17 until Jio removed the database from the network after TechCrunch reported to the company.

Here is a simple way to check the symptoms.
Click the link to start your self-test: https://t.co/4tvmT8oGaw

Stay safe. Stay connected. Stay productive. # COVID-19 #CoronaHaaregaIndiaJeetega #JioTogether #JioSymptomChecker pic.twitter.com/U9C6BMzNF9

– Reliance Jio (@reliancejio) March 25, 2020

The 369 GB database contained information such as age, gender, test result, browser version, operating system, and in some cases, accurate location data. If a user had registered with the service, the database also exposed their personal information.

At the moment it is not clear if anyone else was able to access the database. While most of the data was anonymized, with location data and other information, cybercriminals could identify an individual.

Protecting databases with passwords is one of the basic security steps, and a company like Jio that handles millions of records should be more careful with their systems.