Shocking Data Leak at AIIMS ORBO Exposes Organ Donor Records to the Public

During routine security research, we uncovered a critical vulnerability in the AIIMS ORBO (Organ Retrieval Banking Organization) portal, one that exposed highly sensitive organ donor records to anyone on the internet, no login required.

The exposed data includes names, addresses, phone numbers, blood groups, and other personal details of individuals who pledged their organs or tissues. This vulnerability affects a publicly accessible endpoint, putting the privacy of countless donors at serious risk.

We responsibly disclosed the issue to CERT-In on May 15, 2025, and received acknowledgment on June 16, 2025. Given the severity of the exposure and the ethical concerns it raises, this article breaks down what we found, the scope of the impact, and how this flaw can — and must — be fixed.

What Was Exposed?

The affected endpoint (https://example.com) provides unauthenticated access to a database of registered organ and tissue donors. By selecting any date range and submitting the form, attackers could download detailed donor records without any login or verification.

Exposed Data:

• Full Name of Donor
• Father’s Name
• Residential Address
• Date of Birth
• Mobile Number
• Emergency Contact
• Blood Group
• Relationship
• Age
• State
• Organs/Tissues Pledged
• Registration Number

How Was It Discovered

Ethical reconnaissance uncovered the vulnerability. A manual test on the AIIMS ORBO portal showed that submitting a request with a date range returned a full list of donor records. We verified the issue by cross-referencing public donor card details.

Proof of Concept (PoC) steps:
1. Visit: https://example.com
2. Input date range: e.g., 01/01/1937 to 15/05/2025
3. Click Submit and observe the unprotected export of donor data

No login, CAPTCHA, or role validation was present. Automation tools could easily scrape this data at scale.

Why This Matters

The exposed information represents a serious breach of trust and privacy for individuals who volunteered as organ donors. Their PII and health information was accessible globally, in violation of India’s Digital Personal Data Protection Act (DPDPA), 2023. Such leaks can lead to identity theft, phishing, and exploitation, especially given the sensitivity of medical data.

Remediation

Immediately remove the /orborep.aspx endpoint from public access or protect it using authentication and authorization controls. Permit only verified, role-authorized users to retrieve sensitive donor data.

Additional recommendations:

• Implement input validation and session management
• Sanitize or reducing PII in public-facing reports
• Conduct regular audits of healthcare portals
• Notify affected individuals as per DPDPA guidelines

Conclusion

This incident serves as a stark reminder of the need for security-by-design in digital health platforms. With rising digitization, protecting sensitive health data should be a national priority.

About the Author

Aniket Tomar is a cybersecurity researcher originally from Morena (Madhya Pradesh) and currently based in Noida. He focuses on public interest vulnerability disclosures and ethical hacking, and has reported numerous issues to government and private organizations to improve national cyber resilience.

Social Media Links

LinkedIn: https://www.linkedin.com/in/aniket-tomar-1a735b232
GitHub: https://github.com/Binary0101Devil
Website: https://binary0101devil.in/
Instagram: https://www.instagram.com/binary0101devil/

Stay informed and empowered with Cyber News Live! Join us for insightful discussions, expert analysis, and valuable resources that promote cyber awareness and safety in education. Don’t miss out—tune in to Cyber News Live today!