On Friday morning, those who tried logging into Karnataka State Higher Education Council (KSHEC) website were greeted by an unusual message. A caricature holding a glass with red liquid — as if offering a toast — was mocking at the visitors with these words: “Your data belong to me”. The hackers had even signed off in style: “Defaced by Clinkz48”.
Though the website was restored by afternoon, the incident was a rude reminder of how vulnerable some government websites are to hacking. Following the incident, the Higher Education Department sounded an alert to all universities and departments under it to take precautions.The KSHEC, a collective of the government, universities, academics and experts, acts as a liaison between the government and universities as well as the universities and the apex-level regulatory bodies. Apart from enabling communication, the council is also a policymaker of sorts for the State universities and the hundreds of colleges that are affiliated to them.
“Fortunately, no sensitive data was hosted on the KSHEC website,” Bharatlal Meena, Principal Secretary, Higher Education, said.
Though Mr. Meena said a complaint would be lodged with the police, enquiries with the Cyber Crime Cell, CID, and the High Grounds police revealed that the council was yet to make a formal complaint.
Even in the past, university websites, which host vast student database and other crucial information, have been proven to be easy to tamper with, with several instances of hackers succeeding in their mission being reported.
Mirza Faizan of the Global Cyber Security Response Team, Bengaluru, said the KSHEC website was registered by K.M. Kaveriappa, former Executive Director and Member Secretary of the KSHEC. “His details are in public domain (phone number and email id). When these credentials are publically available, hackers can easily know on which ID it has been registered and they attack by way of phishing or social engineering,” he explained.
He said the website had been given to a private company, which in itself is a mistake government officials make for securing confidential data. He pointed to the recent case of the hacking of the website of the Indian Space Research Organisation’s commercial arm Antrix Corporation, which was outsourced as well.
“The vulnerability of these sites stems from the fact they don’t have proper security checks. Government websites, most of which are hosted by the National Informatics Centre, also need to obtain a security certificate from the government-empanelled auditors. Confidential data could be compromised if hackers get to government websites,” Mr. Faizan said.