VIDUSHI VERMA | 3 MAY, 2018
Aadhaar Seeding Portal of EPFO Taken Down: ‘Data Breach Biggest Issue’
Hackers steal data
NEW DELHI: “These two are independent matters. Aadhaar data is safe and secure. Nothing more can be said over this”, an official from Unique Identification Authority of India (UIDAI) who does not wish to reveal his identity told The Citizen.
Even after reportedly denying any connection between the two matters- Aadhaar data linkage and Provident Fund data steal, the website portal aadhaar.epfoservices.com has been temporarily shut down. The portal functioned as a seeding platform that allowed Employees Provident Fund Organisation (EPFO) field offices and Common Service Centres (CSC) to seed Aadhaar with the Provident Fund's universal account number (UAN) allocated to employees.
As reports are doing the rounds, hackers appear to have stolen data from the EPFO, which manages over Rs 8.5 lakh crore in pension funds burrowing their way through the Aadhaar seeding portal. The extent of the breach is not known but it is certain that the details include names, addresses along with the employment histories of Employment Provident Fund subscribers.
Till now, the EPFO has linked some 34.5 million out of some 47 million active PF accounts with Aadhaar identities. However, officials said that EPFO-linked Aadhaar accounts were maintained on a separate server which had not been compromised, as reported by The Telegraph.
The EPFO said it had shut down the website on March 22 and asked CSC to secure the confidential data of employees and plug vulnerabilities. As part of the data security and protection, the EPFO commented that “it has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks”. This temporary shutting down of website came out when a secret note, sent by Employee Provident Fund Organisation (EPFO)'s Chief Provident Fund Commissioner V.P. Joy, surfaced on Twitter where he addressed how “the data has been stolen by hackers exploiting the vulnerabilities prevailing in the website”.
The note, marked "Secret" and dated March 23, 2018 was the primary source of this breach coming to public knowledge through social media. The vulnerability was detected in the Aadhaar-seeding platform provided by the Common Services Centre (CSC) E-governance Services Ltd, a special purpose vehicle of MEITY.
The Citizen tried to contact the office of EPFO and Chief Provident Fund Commissioner but the officials were unavailable to comment on the issue. Also, the Ministry of Electronics and Information Technology officials did not respond.
Talking to The Citizen, Rakshit Tandon, a cybersecurity expert and Director, Council of Information Security said, “The weakest link in these kinds of break are the number of outsourcing agencies the parent machinery creates. Data breach is the biggest issue where the government has created a system but failed to create security for that data”. He further added, “We are in a rush to automate India including the financial ecosystems”. Also addressing the issue around the Provident Fund data breach, the expert also expressed that “the linkage between Aadhaar and Provident Fund data is very much possible where the data is already available through government-approved vendors all across the country”.
Later in the day, EPFO said in a statement that no confirmed data leakage has been established or observed so far and hence, EPFO has taken “all necessary precautions and measures”, while denying any breach at a point as well. The EPFO through its official social media handles put out a statement regarding 'certain falsehoods being circulated in the social media platform about EPFO data'.
Although this is not the first violation where Aadhaar linked data has found a way into the pockets of the hackers, this is definitely the one where technically “12 percent of every employee’s salary that goes in Provident funds” and the data associated with is are at stake. Last month, The Citizen had reported Aadhaar data leak of 89,38,138 MNREGA workers in Andhra Pradesh on April 26, 2018.
A total of 114 government websites were hacked between April 2017 and January 2018, the Ministry of Electronics and IT told Lok Sabha in March.
Looking at the frequency of data leakages and violation of privacy that has taken the centrestage for experts, activists and now, employees, it is certain that taking down the website does not work as an effective damage control when the personal and employment data has already gone in the hands of the hackers while the government continues to maintain its ever- strong position that “the data is safe within 13-feel walls”.