Cyber Incident Victim: Eastern Indian Regional Council
Date:
Nov 2016
Location:
India
Summary
A security pentester known as Kapustkiy compromised the Eastern Indian Regional Council's server via SQL injection, accessing data belonging to 17,000 students, including membership numbers, names, passwords, and email addresses. The pentester leaked 2,000 records to prompt remediation while allowing time for vulnerability patching, having previously employed similar methods against an Italian government site. Kapustkiy contacted the organization's administrators but received no immediate response. This incident followed prior breaches of Indian Embassy websites in multiple countries, which led the Indian government to acknowledge the pentester's role in improving security measures. Kapustkiy emphasized his actions aimed to expose vulnerabilities rather than malicious intent.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 20, 2016, security researcher Kapustkiy breached the Eastern Indian Regional Council's server through an SQL injection vulnerability, gaining access to a database containing sensitive information for approximately 17,000 students. The compromised data included membership numbers, full names, email addresses, and passwords. Kapustkiy publicly disclosed approximately 2,000 records while withholding the remainder to provide administrators time to address the security flaw. This incident occurred shortly after Kapustkiy's similar breach of an Italian government website that exposed thousands of credentials. The attacker attempted to notify the Eastern Indian Regional Council's administrators about the vulnerability but received no immediate response, potentially due to the incident occurring during a weekend period. The breach exposed systemic vulnerabilities in the council's web infrastructure, marking at least the third time Kapustkiy had compromised an Indian government-affiliated system following prior intrusions targeting Indian Embassy websites in Switzerland and Romania.
Kapustkiy explicitly characterized himself as a security pentester rather than a malicious hacker, emphasizing his actions aimed to demonstrate vulnerabilities and prompt security improvements. The researcher maintained a pattern of responsible disclosure by contacting administrators before publicizing breaches, though response times varied across targets. Historical context indicated the Indian government had previously acknowledged Kapustkiy's security contributions, with a Joint Secretary of eGovernance and Information Technology formally thanking him for vulnerability reports following earlier embassy website breaches. As of the incident reporting date, the Eastern Indian Regional Council had not issued a public response, though media anticipated an official statement following the weekend. The breach highlighted persistent web application security weaknesses across government entities despite prior warnings, with compromised credentials posing risks of unauthorized access and potential misuse until remediated.