Chidambaram called for an immediate investigation into the EPFO data leak
The EPFO data leak saw the UAN data of more than 288 Mn Indians
Neither CERT-In nor MeitY has issued a statement regarding the matter so far
Karti Chidambaram, Congress MP and a member of the Parliamentary Standing Committee on Information Technology has written to the Ministry of Electronics and Information Technology (MeitY) and Union Minister Ashwini Vaishnaw on the EPFO data leak.
In his letter addressed to Vaishnaw, Chidambaram said, “Between January and June 2022, India stood second in the world in terms of data breaches. In the absence of a data protection law, these data breaches put the privacy of Indian citizens at risk.”
Chidambaram called for an immediate investigation into the EPFO data leak, mandating data fiduciaries to notify users in the case of a data breach and introducing a tiered system of security compliance.
The EPFO data leak saw the Universal Account Numbers (UANs) of more than 288 Mn Indians, first detected by Ukraine-based Volodymyr Diachenko and SecurityDiscovery.com on August 2. Diachenko and the SecurityDiscovery team alerted India Computer Emergency Response Team (CERT-In) the next day.
“First IP with Elasticsearch cluster contained 280,472,941 records worth almost 500 GB. Second IP contained 8,390,524 records,” said Diachenko in a LinkedIn blog, sharing the screenshots of the document sets titled ‘uan’ and ‘uannew’.
However, neither CERT-In nor MeitY have issued a statement regarding the matter so far.
According to Diachenko, the data leak was hosted on two IPs, which were hosted on Azure and based in India. However, he stated that after 12 hours of him raising the alarm on Twitter, the IPs were taken down and the information became unavailable.
It should be noted that the EPFO data leak saw information such as name, gender, marital status, date of birth, Aadhaar number, bank details and address. In all, there were 48 points of information that were leaked per individual.
According to an IBM report cited by Chidambaram in his letter, data breaches in India cost an average of INR 17.6 Cr on average.
In this month alone, India has allegedly seen over 500 Mn people exposed to data breaches, including the EPFO data leak.
Days ago, cybersecurity firm CyberX9 claimed that telecom operator Vodafone Idea (Vi) exposed sensitive personal data such as call records, phone numbers, internet usage details and credit limit of 301 Mn customers due to vulnerabilities in its security.
However, the telco denied a data breach, stating that it had found a potential vulnerability in its billing system via a forensic audit, which it has fixed.
It is prudent to mention here that India saw 18 Mn cyberattacks and 2 Lakh threats per day in Q1 2022, according to a recent Google report, which only highlights the need for a new data protection bill.
