Hackers successfully penetrated BSNL intranet, over 47,000 employees info were leaked

According to The Economic Times (ET) and ciol reports, French security researcher Robert Baptiste claims to have obtained access to the internal network database of India‘s state-owned telecommunications operator Bharat Sanchar Nigam Limited (BSNL), the database contains details of more than 47,000 employees.

Baptiste contacted ET via e-mail and told ET that he got BSNL’s internal network through a security hole and embed malicious code in the software used by BSNL to gain access to the database.

On Sunday morning, Baptiste also shared with ET a database of samples detailing BSNL’s departure and current employee name, job title, password, phone number, date of birth, retirement date, email address and more. ET then retrieved the personal information of six employees from the database and verified their identities by phone.

Baptiste also said there are security holes in multiple sites under the domain name of BSNL, making them extremely vulnerable to SQL injection attacks. In fact, there are already two BSNL websites that have been subjected to ransomware attacks, but the exact time of the attacks on the websites is not yet clear and the website has now been forced to go offline.

Baptiste also found that up to eight other BSNL sites have an open directory that allows anyone to access the database. He had contacted BSNL via Twitter on Sunday afternoon and informed them about the issue. The company’s IT team discussed with him and finally confirmed the seriousness of the problem. Currently, most of the vulnerabilities have been fixed, and some websites have also been deleted.

“I found this a few days ago, but I’m not the first one to discover it. This issue was discovered by an Indian, kmskrishna, two years ago. He sent mails to BSNL, even called senior officers, but nobody answered him. Once again, it shows the importance for big companies like BSNL to take into account this kind of alert.” , Baptiste said.

1) There was a SQL injection in their intranet website. It allows the attacker to dump the all database of the BSNL intranet. It contains the information of 47K+ BSNL employees, Senior officiers' information, BNSL administrators information, retired employee details and more. pic.twitter.com/HTEwtC63wp

— Baptiste Robert (@fs0c131y) March 4, 2018

Due to the current lack of data protection laws in India, this hacking activity is governed by the Indian Information Technology Act of 2000. Pursuant to the act, it is a criminal offense to intrude into a computer system for whatever purpose or in any way that an individual may be subject to criminal charges.

Baptiste said “A monitoring bandwidth system was accessible publicly. BSNL websites had a lot of open directories which allowed everybody to consult their documents. Some sites are down, and some are fixed. calcutta.bsnl.co.in has been fixed.”