EPFO snaps CSC Aadhaar services after data theft
Confidential data from one of the Aadhaar-seeding portals of the Employees Provident Fund Organisation (EPFO) has been stolen by hackers, leading to a shutdown of the facility over a month ago.
The incident came to light after the Intelligence Bureau (IB) informed the Labour and Employment Ministry in March about the data theft from the EPFO’s web portal, which helps subscribers link their provident fund accounts with their Aadhaar numbers.
“It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities in the website (aadhaar.epfoservices.com) of EPFO,” Central Provident Fund Commissioner V P Joy wrote in a note on March 23 to Dinesh Tyagi, chief executive officer (CEO) at Common Service Centre (CSC), which is managing the Aadhaar-seeding application, launched in April last year.
Though an official statement from the EPFO on Wednesday said no confirmed data leakage had been established, the note by Joy stated data theft took place from the information and communication technology (ICT) infrastructure of Aadhaar-seeding service for EPFO subscribers.
“The web portal has been closed one-and-a-half months back immediately after the possible data theft was reported to us during a process of routine security check. There was some problem in the application run by CSC and it is not related to our data centre that maintains the EPF accounts,” Joy told Business Standard. He, however, said he was unaware of what confidential data of employees might have been stolen by the hackers. Tyagi did not respond to a text message seeking clarifications.
Unique Identification Authority of India (UIDAI) said the alleged data breach took place on a website that does not belong to it. “This matter does not pertain at all to any Aadhaar data breach from UIDAI servers,” it said in a press statement.
The portal used to provide the facility to formal sector workers to help them link their Aadhaar numbers with the EPFO’s universal account number (UAN) through CSC outlets. It also helped EPFO pensioners to submit their digital life certificates through a large number of CSC outlets. The EPFO discontinued the services provided through CSCs from March 22. The EPFO clarified that Aadhaar-seeding of its subscribers was being done through other modes, such as the government's mobile application UMANG, sources said.
“The news is related to the services through common services centres and not about EPFO software or data centre. As a part of data security and protection, the EPFO has taken advance action by closing the server and host service through CSC, pending vulnerability checks. As such, there is nothing to be concerned about,” the EPFO’s statement said.
The EPFO has urged the CSC to secure confidential data on the portal and plug the vulnerabilities, according to the March 23 letter.
“The IB has advised adhering to best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system by competent auditors and testers,” the letter stated.
The EPFO has issued 130 million UANs so far to formal sector workers. Till recently, it had linked 34.5 million out of a total of 47.1 million active provident fund accounts with Aadhaar. The IB pointed to two vulnerabilities in the EPFO’s web portal – strut vulnerability and backdoor shells.
An independent security researcher who did not want to be named explained the two vulnerabilities mentioned by IB and said both were among the highest grade of security breaches in public data systems.
“Backdoor shell implies that someone got access to it through the back-end, which means they could get administrative privileges and manipulate the systems,” he said. Also, this is not the first time that the Apache Struts vulnerability has been exploited by hackers to get access to Aadhaar data. In March this year, it was reported that the India Post database containing bank account details of employees and other sensitive customer information was exposed to hackers through the same vulnerability even as the organisation insisted that there was no data loss.
Apache Struts is a Java-based platform used by organisations to develop web applications. The software had a big vulnerability in September 2017 that led to the loss of 200,000 credit card details of 140 million US customers through Equifax's servers. While the company quickly moved to fix this issue with an update, many entities did not really install these updates on time, according to a security researcher.