India’s state-owned logistics portal has fixed misconfigurations and vulnerabilities that exposed sensitive personal data and various state and private trade records.
Called the National Logistics Portal-Marine, the website made the sensitive and private data public due to misconfigured Amazon S3 buckets. It also carried a JavaScript file that included login credentials into the web source code.
Security researcher Bob Diachenko found the issues with the Indian portal through the open source security tool TruffleHog. Diachenko told TechCrunch that the exposed data included full names, nationality, date of birth, gender, passport numbers, passport issuing authority and expiration date that various crew members of vessels and ships submitted for their travel. Similarly, there were invoices, shipping orders and bills of lading among the sensitive pieces of information.
“The reasons [for the exposure] are multiple in this case — all leading to various misconfiguration, starting from storing hardcoded credentials in a JavaScript file and to the public S3 buckets,” he told TechCrunch.
On September 25, Diachenko posted a screenshot on X, formerly known as Twitter, showing one of the exposed files with redacted sensitive information. Subsequently, he was contacted by the Indian Computer Emergency Response Team (CERT-In) and AWS’s security team to understand the incident better. TechCrunch also separately informed CERT-In about the matter shortly after getting the details from the researcher. The nodal agency acknowledged the receipt of our communication on Tuesday and confirmed the fix on Friday.
“With respect to the trailing email, the concerned organization has confirmed that the vulnerability is mitigated,” CERT-In said while confirming the fix.
The ports, shipping and waterways ministry and the firm responsible for the portal Portall, a subsidiary of India’s business conglomerate JM Baxi, did not respond to multiple requests for comment prior to publication.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
The ports, shipping and waterways ministry launched the National Logistics Portal-Marine in January. The project aims to work as a “single window” for all logistics trade processes and covers transportation modes in the waterways, roadways and airways. It also includes an online marketplace to access end-to-end logistic services.
The data exposure incident comes just over a month after India, the second-largest internet market after China, received its anticipated privacy law, the Digital Personal Data Protection Act, 2023. The law outlines guidelines for private companies’ use of personal data, but exempts the Indian government from legal obligations.
