The Door Was Wide Open
Here's a detail that still makes me uncomfortable: in April 2026, an independent researcher named Sushant Bhardwaj found a vulnerability in India's Union Public Service Commission portal that let anyone on the internet log in as an administrator. Not a zero-day exploit. Not a nation-state-grade attack. Just... an open door.
The UPSC runs India's civil-service exams — the single most competitive recruitment process in the country. Over 1.3 million people applied just in 2023. Their personal data, application histories, exam results — all sitting behind a login screen that wasn't actually locking anything.
Bhardwaj didn't stop at one. He found 14 vulnerabilities across multiple Indian government systems. Two were critical. Four more rated high severity. And the pattern that tied them all together? Not sophisticated malware or advanced persistent threats. Just bad housekeeping.
I've spent years looking at breach reports from major corporations, and honestly? This is the kind of thing that should make every CISO in the room wince. Because these aren't exotic failures. They're the kind of mistakes you'd catch in a code review if anyone was paying attention.
The UPSC Takeover
Let's start with the headline act. The UPSC administrative interface — the system that manages authentication for the entire portal — was exposed directly to the public internet. No firewall rules blocking external access. No network segmentation keeping the admin panel isolated from citizen-facing pages.
The result? Any attacker could trivially grant themselves arbitrary access levels. Full administrative control over a system holding 1.3 million applicants' data. You could change passwords, modify records, export everything. The whole thing.
But the UPSC flaws didn't end there. Bhardwaj also identified an automated credential attack surface — meaning someone could script login attempts against the system without triggering meaningful defenses. Missing browser security headers left user sessions vulnerable to cross-site scripting. Cryptographic issues in how data was being handled. OTP (one-time password) mechanisms that could be bypassed. Even application data leaking into publicly accessible documents.
The root cause, as Bhardwaj put it, came down to poor identity and access management. IAM is one of those boring-sounding areas that actually matters enormously. Get it wrong, and the entire security model collapses at the most fundamental level.
Two Million Students in the Crosshairs
While the UPSC vulnerability was the most critical, Bhardwaj's findings extended well beyond a single portal. The Delhi Directorate of Education directories exposed roughly two million students' data — names, parents' names, school assignments, exam results, employee records.
Here's where it gets interesting from a technical standpoint. The access controls on these directories weren't enforced at the server level. That's a crucial distinction. If you tried to navigate to a restricted file through normal means, the interface would show "access denied." But manipulate the URL directly — swap in a predictable filename, hit enter — and there you are. No authentication required.
Predictable file naming structures made enumeration trivial. You didn't need to guess randomly. The files were organized in patterns that followed logical conventions, which means a simple script could walk through the entire directory tree and pull down everything in minutes.
Two million students. That's not a theoretical risk. That's real families, real children, whose personal information was sitting exposed because someone forgot to put a lock on the server.
The Scholarship Portal: Smaller Scale, Higher Stakes
The Delhi scholarship portal affected fewer people — about 4,399 beneficiaries — but the data exposed was significantly more sensitive. Complete bank account numbers.
Not masked. Not truncated. Full account details sitting in files that anyone could download by changing a URL parameter.
Names, guardians' names, schooling information, scholarship details — all of it. And here's the part that really gets me: a higher percentage of lower-income individuals were affected. These are people who received government financial aid precisely because they needed it. Their most vulnerable financial information was sitting in plain text on a server with no authentication.
Same root cause as the education directories. Missing authentication checks. Predictable file structures. No server-side enforcement of access controls.
It's the same mistake, repeated across different systems, affecting different populations. That repetition tells you this isn't an isolated incident — it's a systemic pattern.
Why Governments Keep Making the Same Mistakes
Trey Ford, Bugcrowd's Chief Strategy and Trust Officer, put it bluntly: "The most common public sector failure isn't a clever exploit. It's a simple error like leaving a directory open."
That's the thing that sticks with me. We spend so much time worrying about advanced threat actors and sophisticated attack chains, but the reality is that most government systems are brought down by things that would be caught in a basic security audit.
Ford also highlighted a structural problem unique to government: shared infrastructure. When many citizen-facing portals are built and operated through shared infrastructure, no single owner ends up accountable for whether each one enforces access control. Everyone assumes someone else is handling it. Nobody does.
Bhardwaj identified several systemic factors driving these failures: legacy applications running on outdated infrastructure, inconsistent security maturity across different government departments, resource constraints that make thorough testing a luxury, procurement timelines that prioritize speed over security, and a shortage of experienced cybersecurity professionals willing to work in the public sector.
These aren't excuses. They're explanations. And understanding why these failures happen is the first step toward fixing them.
How It Ended: Actually, Pretty Well
Here's the part of the story that gives me hope. Bhardwaj followed responsible disclosure practices — he reported his findings to the government, gave them a chance to fix things, and waited.
The government listened. All 14 vulnerabilities were patched within two to three weeks of disclosure.
That's not slow. That's not negligent. That's actually a model response, especially considering the scale and sensitivity of the affected systems.
Ford called coordinated disclosure "defensive infrastructure" — treating it as a critical component of security rather than an optional courtesy. Three serious exposures became three fast fixes because both sides understood that collaboration served everyone's interests.
Bhardwaj himself noted that India's cybersecurity posture has "improved noticeably" over the past few years, with more government organizations recognizing the value of responsible disclosure programs. He's young — early in his career, by his own description — and he's already making a real impact.
The takeaway isn't that government systems are insecure. It's that they're fixable, when the right people pay attention and the right processes are in place. The vulnerabilities Bhardwaj found weren't sophisticated attacks. They were configuration weaknesses, inconsistent access controls, and security oversights — all addressable through stronger engineering practices and review processes.
In my experience, the best security stories aren't about heroes who stopped nation-state attacks. They're about regular people doing their jobs carefully, following established processes, and getting results. This is one of those stories.