Yet Another Aadhaar Data Breach But This Time Through EPFO

While Aadhaar and Facebook continue to create questions on data security, the latest data breach has come from EPFO (Employees’ Provident Fund Organisation).

The breach came to light through a letter circulated on Twitter which was titled ‘Secret’ dated March 23 and was addressed to the CEO of Common Service Centre which claimed that hackers exploited vulnerabilities through aadhaar.epfoservices.com to steal data.

“It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO,” it stated, referring to an IB note warning of data theft on the same issue.

“The IB has advised adhering to the best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system from competent auditors and testers,” the letter said.

As per the latest update, 27.5 Mn people have linked their Aadhaar card with their PF accounts. As per a report by The Wire, possible data that has been leaked includes the unique identity numbers, demographic information and employment details of millions of formal sector employees.

As news buzzed across social media, EPFO took upon itself to release a statement to state that there has been “no confirmed data leakage”. It clarified that “As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks.”

Furthermore, the organisation stated that “As such, there is nothing to be concerned about the news item. EPFO has been taking all necessary precautions and measures to ensure that no data leakage takes place and will continue to be vigilant about it in the future.”

Inc42 had recently reported that an Aadhaar whistleblower Srinivas Kodali published the screenshots of Aadhaar data details of MNREGA (Mahatma Gandhi National Rural Employment Guarantee Act) beneficiaries.

Suggesting a data leak of 8.9 Mn, the scale is much higher than Facebook’s effected data leak in India. The data leak also revealed details such as a person’s Aadhaar number, account number, father’s name, etc.

The breaches have been in direct contrast to UIDAI’s statements in the court where one of the clarifications was that the Aadhaar data is protected by 13 Ft high and 5 Ft thick walls.

Amid harsh stance shown during Facebook-Cambridge Analytica debacle, the continuous Aadhaar leaks should have provoked action as well as criticism of weak data security, however, all Indians have got till now is “Aadhaar is safe”.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.