News

Congress MP Karti Chidambaram Writes To MeitY On EPFO Data Leak

Karti Chidambaram writes to MeitY on EPFO data leak
SUMMARY

Chidambaram called for an immediate investigation into the EPFO data leak

The EPFO data leak saw the UAN data of more than 288 Mn Indians

Neither CERT-In nor MeitY has issued a statement regarding the matter so far

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Karti Chidambaram, Congress MP and a member of the Parliamentary Standing Committee on Information Technology has written to the Ministry of Electronics and Information Technology (MeitY) and Union Minister Ashwini Vaishnaw on the EPFO data leak.

In his letter addressed to Vaishnaw, Chidambaram said, “Between January and June 2022, India stood second in the world in terms of data breaches. In the absence of a data protection law, these data breaches put the privacy of Indian citizens at risk.”

Chidambaram called for an immediate investigation into the EPFO data leak, mandating data fiduciaries to notify users in the case of a data breach and introducing a tiered system of security compliance.

The EPFO data leak saw the Universal Account Numbers (UANs) of more than 288 Mn Indians, first detected by Ukraine-based Volodymyr Diachenko and SecurityDiscovery.com on August 2. Diachenko and the SecurityDiscovery team alerted India Computer Emergency Response Team (CERT-In) the next day.

“First IP with Elasticsearch cluster contained 280,472,941 records worth almost 500 GB. Second IP contained 8,390,524 records,” said Diachenko in a LinkedIn blog, sharing the screenshots of the document sets titled ‘uan’ and ‘uannew’.

The first IP hosted UAN data of 280 Mn users. Courtesy: Volodymyr Dianchenko/SecurityDiscovery

 

The second IP hosted UAN data of around 8 Mn users. Courtesy: Volodymyr Dianchenko/SecurityDiscovery

However, neither CERT-In nor MeitY have issued a statement regarding the matter so far.

According to Diachenko, the data leak was hosted on two IPs, which were hosted on Azure and based in India. However, he stated that after 12 hours of him raising the alarm on Twitter, the IPs were taken down and the information became unavailable.

It should be noted that the EPFO data leak saw information such as name, gender, marital status, date of birth, Aadhaar number, bank details and address. In all, there were 48 points of information that were leaked per individual.

Data points that were exposed in the EPFO data leak. Courtesy: Volodymyr Dianchenko/SecurityDiscovery

According to an IBM report cited by Chidambaram in his letter, data breaches in India cost an average of INR 17.6 Cr on average. 

In this month alone, India has allegedly seen over 500 Mn people exposed to data breaches, including the EPFO data leak.

Days ago, cybersecurity firm CyberX9 claimed that telecom operator Vodafone Idea (Vi) exposed sensitive personal data such as call records, phone numbers, internet usage details and credit limit of 301 Mn customers due to vulnerabilities in its security.

However, the telco denied a data breach, stating that it had found a potential vulnerability in its billing system via a forensic audit, which it has fixed. 

It is prudent to mention here that India saw 18 Mn cyberattacks and 2 Lakh threats per day in Q1 2022, according to a recent Google report, which only highlights the need for a new data protection bill.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

Inc42 Daily Brief

Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy

Recommended Stories for You