SUMMARY
According to a security researcher named Atul Nair, the PM-Kisan website was exposing the Aadhar card numbers of Indian farmers that have registered on the portal
The PM-Kisan website is essentially a government-run initiative that provides financial assistance to Indian farmers of up to INR 6000 every year
The PM-Kisan website has a dashboard feature to view various charts and data. An endpoint on the dashboard was exposing region-specific Aadhaar numbers of farmers
The Pradhan Mantri Kisan Samman Nidhi (PM-Kisan) website was found to be leaking farmers’ data.
According to a security researcher named Atul Nair, the PM-Kisan website was exposing the Aadhar card numbers of Indian farmers that have registered on the portal.
The PM-Kisan website is essentially a government-run initiative that provides financial assistance to Indian farmers of up to INR 6000 every year. The portal uses farmers’ Aadhar Card number for registration.
In essence, an Aadhaar Card is a 12-digit number assigned to Indian nationals, which is a part of India’s national identity database. It is being used as proof of national identity and is often required for availing of government services such as voting, opening bank accounts, and verification purposes.
In a blog post, Nair said that, “The PM Kisan was leaking Aadhaar card numbers of over 110 Mn farmers. The portal provides a dashboard feature to view various charts and data. An endpoint on the dashboard was exposing Aadhaar numbers of farmers based on region (state, district, village).”
Owing to this glitch, any hacker can easily access farmers’ data by ‘writing a basic script’.
According to Nair’s estimates, over 11 Cr farmers are registered on the PM Kisan website. So, a security lapse can affect more than 110 Mn farmers in the country.
On January 29, the issue was escalated to the nodal agency, The Indian Computer Emergency Response Team. The government body fixed this glitch (by May 30) after taking down the endpoint vulnerability from the PM Kisan website, according to Nair’s blogpost.
It is one of the many incidents when public data was at threat. According to a CERT-In report, over 2.12 Lakhs of cybersecurity incidents were recorded in the country until February this year. In contrast to this, over 4.02 Lakhs cyber security incidents were reported in aggregate in the previous year.
Meanwhile, the startup ecosystem is equally affected by cyberattacks. In May, fintech unicorn Razorpay’s accounts were hacked, and around INR 7 Cr were wiped out in a period of three months. The startup filed this complaint with the South East cybercrime police.
The theft came to light when Razorpay’s officials were auditing accounts and were unable to reconcile 831 transactions.
