EPFO Suspends Aadhaar-Seeding Portal After Reports Of Data Leak Of 2 Crore Members

The Employees’ Provident Fund Organization (EPFO), a government-run body, was the latest target of cyber hackers. Personal data from one of the Aadhaar-seeding portals of the EPFO was stolen by hackers in March this year and the details of over 2 crore members of EPFO who had linked their PF accounts to their Aadhaar numbers were stolen, reported Business Standard.

After the Intelligence Bureau (IB) flagged concerns of possible data theft by hackers, the Aadhaar-seeding portal of EPFO has been shut down.

How the breach came to light

The IB had informed the Ministry of Labour and Employment in March about the breach. This issue came to light when a letter by the Central Provident Fund Commissioner V P Joy to the Common Service Centre (CSC) Chief Executive Dinesh Tyagi on March 23 was leaked. The ‘secret’ letter has been doing the rounds on Twitter.

EPFO data stolen by hackers exploiting the vulnerabilities prevailing in the website (https://t.co/ohpaCFwomY) : VP Joy, Central Provident Fund Commissioner to MeitY.
Aadhaar case in SC at the last stage, how will the Govt defend this now ? pic.twitter.com/yYQJ3qDiCh

— Arvind Gunasekar (@arvindgunasekar) May 2, 2018

“I am not aware of any data leak,” Joy said. “We received a warning from the IB on March 22, and so I forwarded it to the relevant authorities the next day. This is a routine administrative matter,” he told Business Standard.

About the Aadhaar-seeding portal

EPFO had to shut down the Aadhaar-seeding website temporarily. The portal (aadhaar.epfoservices.com), managed by the Common Service Centre (CSC), used to help formal sector workers link their Aadhaar numbers with EPFO’s Universal Account Number (UAN) through CSC outlets. It also helped EPFO pensioners to submit their digital life certificates.

The blame game

“The web portal has been closed one-and-a-half months ago, immediately after a possible data theft was reported to us during a process of routine security check. There was some problem in the application run by CSC, and it is not related to our data centre that maintains the EPF accounts,” Joy said to Business Standard on May 2.

Tyagi said to PTI that while the said application had been designed by the CSC, it was now hosted on EPFO data centres and servers. The site was shut down by EPFO on March 22, asking the CSC to secure the confidential data of employees. The possible data leak may include employees’ Aadhaar number, name, date of birth, father’s name, PAN, employment details, among others.

Unique Identification Authority of India (UIDAI) said that the alleged data breach took place on a website that does not belong to it. “This matter does not pertain at all to any Aadhaar data breach from UIDAI servers,” said the UIDAI in a press statement.

Brief history of data breach cases

This incident comes at a time when the Supreme Court is hearing petitions challenging the constitutional validity of the Aadhaar Act. There have been various incidents where Aadhaar data has been at risk.

In January 2018, The Tribune reported how Aadhaar data was available for just Rs 500. After that, India Today reported Aadhaar data being sold in villages for Rs 2-5. Later, French security researcher Robert Baptiste tweeted about the availability of Aadhaar numbers online by running a simple code.

Also published on Medium.