With governments rapidly expanding online service capabilities, it’s no surprise that nation-states have begun to attack each other’s websites and databases to advance federal agendas.

According to The Hacker News, however, seven Indian Embassy websites were recently attacked not by nationalists or hacktivists, but by penetration testers who wanted government IT to “pay attention to the issues with their crucial websites.” This Indian Embassy hack exposed hundreds of personal records belonging to Indian citizens and students living abroad.

Penetration Testers Gone Rogue

When it comes to embassy cyberattacks, the most likely scenario involves another country either covertly or openly causing trouble to prove a point. As noted by Softpedia, for example, Turkish cybercriminals defaced the website of Russia’s Israel-based embassy in January 2016.

Additionally, The Express Tribune reported that actors known as Intruder and Romantic compromised seven Indian Embassy websites in June, taking down official functions and leaving pro-Pakistan messages in their wake. This latest embassy web attack, however, seems unrelated to any international conflict and was likely more a test of IT security.

The hackers, known as Kapustkiy and Kasimierz, claimed India’s IT defenses were “poor.” Multiple domains were tied to SQL injection, enabling the actors to compromise the web app and steal sensitive information. They also discovered that user and admin passwords were stored in plaintext without any type of hashing — which is bad news for any site that records and stores personal data.

Indian Embassy Hack Exposes Hundreds of Records

According to The Huffington Post, Kapustkiy and Kasimierz were able to compromise sites in South Africa, Libya, Italy, Switzerland, Malawi, Mali and Romania. Once inside embassy databases, they stole personal information belonging to more than 500 Indian citizens, most of them students, and uploaded it to Pastebin.

Everything from names and passport details to phone numbers and email addresses were made publicly available, although it appears the hackers took the data down after a few days.

While the so-called penetration testers claim they “did not leak anything like real addresses, city or zip code,” according to The Hacker News, and their intention was simply to draw more attention to IT security on the affected websites, other nondisclosure avenues would have served the purpose just as well.

Lessons Learned

Regardless of their intentions, however, the recent Indian Embassy hack raises two important points. First, governments must adopt more proactive web security policies. Leaving embassy sites open to SQL attacks and storing passwords in plaintext presents an easy avenue of attack for even entry-level cybercriminals.

The rise of self-starter security professionals, meanwhile, means that governments must be prepared for security notifications that don’t follow the accepted pattern of “breach, report, disclose,” with disclosure only occurring if issues are not resolved in a timely fashion.

Put simply, if web systems aren’t secure when they go live, governments can expect to see citizen information posted on Pastebin and reported by IT security news outlets. That’s not exactly great national PR or good for citizens’ peace of mind.