エチオピア市政府が29GBの国民データを公表してしまう

RESUMEThis report discloses a significant security misconfiguration involving a publicly exposed server belonging to the Adama City Government digital platform in Ethiopia. The server contained approximately 29 GB of highly sensitive personal data belonging to Ethiopian citizens. Following responsible disclosure efforts, the server was eventually taken offline. However, no response or acknowledgment was received from any Ethiopian authority involved.About the Adama PlatformThe Adama City platform is the official integrated digital portal for government services in Adama, Ethiopia. It was developed to automate administrative procedures and enhance transparency, accessibility, and efficiency in local governance.Main services offered include:Adama City OSS: One-stop shop for common citizen procedures.Investment System: Management of projects and licenses for local and foreign investors.e-trade & E-commerce: Tools for digitizing commerce and transactions in the region.CashBook System: Internal financial and accounting system.Land Management: Land management and administration of the urban cadastre.Discovery of the Exposed ServerOn April 20, 2026, during a routine security investigation, an unprotected server belonging to the Adama City platform was discovered. The server contained approximately 29 GB of sensitive data, primarily consisting of ZIP archives and PDF/PNG documents.Nature of the Exposed DataThe server had been publicly accessible since at least March 23, 2026. The exposed information included highly sensitive personal and civil records of Ethiopian citizens, such as:Birth certificatesMarriage certificatesLand recordsNational identification documentsCitizens’ profile photographsSocial assistance recordsAll documents were in PDF and PNG formats, with multiple backup copies in ZIP format.Examples of exposed documents (translated from Afaan Oromoo):Adama's citizens' profile photos of exposed faces on his platform.Other documents displayed included citizens' identifications.These documents are birth certificates, which include serial number, photo, father's name, grandfather's name, date of birth, birth certificate number, places of registration and birth, nationality, official seals of the civil registry agency, and signature. The second image shows a social assistance file from Adama for Ethiopian citizens, which includes full name, age, sex, and telephone number. And the third image shows a marriage certificate, which displays information such as the wife's full name, the husband's full name, date of birth, place of birth, address, nationality, the names of each person's father and mother, and witnesses.RisksThe public exposure of this data posed severe risks to the affected citizens, including:Identity theft and impersonationDocument forgerySocial engineering and phishing attacksBlackmail or extortionUnauthorized sale of data on the dark webCompromise of personal privacy on a massive scaleResponsible Disclosure TimelineFor our part, we had to protect the data as soon as possible in order to resolve the problem of the exposed server. We contacted the company via email from the following date:On April 20, 2026, I sent a formal notification via email to the official information address of the Adama City Government, detailing the exposure of their server and the presence of approximately 29 GB of sensitive data belonging to Ethiopian citizens. A copy of the same notification was also sent to the Information Network Security Administration (INSA), Ethiopia’s national cybersecurity authority.Despite the critical nature of the issue, neither the Adama City Government nor INSA provided any response or took action to restrict public access to the server.Given the complete lack of response from both the municipal authority and the national cybersecurity agency, I escalated the matter on May 20, 2026, by contacting Ethio Telecom, the internet service provider, informing them of the situation affecting their client and requesting urgent intervention to block the exposed server.On June 15, 2026, I verified that the server had finally been blocked. However, no acknowledgment or response was received from any of the parties involved.Technical RecommendationsImmediate Actions:Disable public access and directory listing on all servers.Implement strong authentication mechanisms (multi-factor authentication, IP whitelisting, or VPN access).Remove or migrate all sensitive data to secure, encrypted environments.Replace public file access with signed URLs or temporary access tokens.Best Practices for Sensitive Data:Never store personal or civil records on publicly accessible servers.Implement encryption at rest and in transit (AES-256 minimum).Apply the principle of least privilege.Conduct regular security audits and configuration reviews.General Security Improvements:Enable comprehensive logging and real-time monitoring.Develop and test a formal Incident Response Plan.Perform periodic vulnerability assessments and penetration testing.Establish proper secrets management and secure configuration baselines.Final NoteThis report will be updated if additional information or responses are received from the responsible authorities.Ethical Disclosure This research was conducted solely for the purpose of improving security. No unnecessary data was downloaded or retained, and all findings were responsibly disclosed in accordance with standard responsible disclosure practices.Report published: June 18, 2026

Security Researcher: chum1ng0

※ 著作権に配慮し、引用は冒頭3段落までです。続きは元記事をご覧ください。