Cyber laxity: Goa govt posts department login IDs, passwords online
PANAJI: In a move that has raised some eyebrows among cybersecurity experts and IT professionals, the administrative reforms department issued a circular with the login credentials of all the state government departments.
The government circular, which was issued on February 8, asks every government department to upload their annual administration report using the preset login credentials. While the circular was meant for government departments, it was uploaded on the Goa government website for anyone to view and download.
“This is a breach of cyber safety,” said a quality assurance architect with a tech firm in Bengaluru. “The most secure way to share login credentials is via an email to the concerned department and not through a public document.”
The circular, which was issued by the department, does mention that departments are supposed to change their password after the first login. TOI was able to login on behalf of the transport department and had the option to change the password, which this reporter decided not to do.
Login credentials for 98 government departments and semi autonomous bodies were uploaded online with the generic password of “ard@1234”.
Cyber criminals exploit vulnerabilities in government and critical web platforms to obtain data and officials admitted that uploading the circular online was “a mistake” and not in line with data privacy and security protocols.
The administrative reforms department has switched from the manual mode to digital mode. Departments have been asked to submit their annual report for 2019-20. The last day to upload the report is Monday. While the reports themselves are not sensitive, the move to share login credentials via a printed circular and upload it online speaks volumes about approach and understanding about cyber security, said IT experts.
“They have mentioned the username and the passwords of all the departments and made it available in public domain. No doubt, they have said change the password on the first login, but we all know the usual approach of the government departments,” said an entrepreneur and IT professional from Goa.
In the past, 17 state government websites were hacked including the Raj Bhavan website that was hacked twice.