EPFO shuts down Aadhaar seeding site after ‘hack’
Confusion prevailed on Wednesday after it emerged that the Employees’ Provident Fund Organisation (EPFO) had shut a website used to link Aadhaar numbers with retirement savings accounts after it received information from the Intelligence Bureau (IB) that hackers had gained access to the site. It wasn’t immediately clear whether any data had been stolen.
“On March 22, domestic intelligence agency, IB, informed us about data theft by hackers from website ‘aadhaar.epfoservices.com’. We shut servers on which the website was hosted and discontinued services,” said VP Joy, the Central Provident Fund Commissioner.
A senior government official familiar with the incident said there was no estimate as to how much data was lost, adding that application continued to be vulnerable for a “few weeks”.
“IB keeps scanning government databases for vulnerabilities and issues regular letters to departments concerned on a regular basis,” said the official, who requested anonymity as he is not authorised to speak to the media.
Joy denied that any data had been lost or stolen. The website was being used to seed Aadhaar numbers with Universal Account Numbers of EPFO account holders, he explained. “The application was for feeding data and no EPFO data was lost,” he added.
The website was hosted on servers installed at the National Data Centre of EPFO in Delhi’s Dwarka but the application running on the server was being remotely managed by the Common Service Centre (CSC) team of the ministry of electronics and information technology.
Joy wrote to Dinesh Tyagi, chief executive officer (CEO) of CSC, on March 23, asking him to deploy an expert team to plug vulnerabilities. The website has remained shut since then. CSC provides information technology-enabled access points for delivery of essential public utility services, social welfare schemes and other government services.
The government official cited in the first instance said IB asked EPFO to get a regular and meaningful audit and vulnerability assessment of its entire system done. Seeding of Aadhaar number is mandatory for availing of online EPFO services like submission of online claims.
“It is informed that warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through Common Service Centres have been discontinued w.e.f. 22nd March 2018. The news is relating to the services through common service centres and not about EPFO Software or data centre. No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks,” EPFO said in a formal statement.
The Unique Identification Authority of India (UIDAI), which oversees the Aadhaar project, clarified that no data breach had taken place from its servers. “The said website does not belong to UIDAI in any manner whatsoever. This matter does not pertain at all to any Aadhaar data breach from UIDAI servers,” said UIDAI in a statement.
The government official cited above said hackers exploited vulnerabilities on two counts — Strut Vulnerability and Backdoor Shells. “Apache Struts is quite an old vulnerability which was discovered in March 2017. It made headlines globally when hackers stole sensitive data for over 140 million US consumers from Equifax by exploiting the Struts vulnerability,” said cyber security expert Dhruv Soi.