Data Theft Concerns Prompt EPFO to Pull Down Aadhaar Seeding Portal

The Intelligence Bureau flagged concerns of possible data theft by hackers.

New Delhi: The Aadhaar-seeding portal of the Employees’ Provident Fund Organisation (EPFO) has been shut down, after the Intelligence Bureau (IB) flagged concerns of possible data theft by hackers.

In a letter dated March 23 2018, central provident fund commissioner V.P. Joy wrote to Common Service Centre (CSC) CEO Dinesh Tyagi, warning him that data may have been stolen by hackers through the ‘aadhaar.epfoservices.com’ website.

“It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO,” the letter, which makes reference to an IB note warning of data theft on the same issue.

“The IB has advised adhering best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system from competent auditors and testers,” the letter stated.

According to people with knowledge of the matter, possible data that has been leaked includes the Aadhaar numbers, demographic information and employment details of millions of formal sector employees.

The seeding portal essentially allows CSC centres and EPFO field offices to help subscribers link their provident fund accounts to Aadhaar through an e-KYC process. As of February 2018, it had been used to link 34.5 million out of a total of 47.1 million active provident fund accounts with Aadhaar.

The letter notes that while the Aadhaar seeding portal is being hosted and “located at” EPFO’s data centre in Dwarka, the “application on the server” is being remotely managed by a CSC team.

While calls to Tyagi went unanswered, CSC sources told The Wire that the investigation into the matter started last week.

A statement put out by the EPFO on Wednesday noted that the development related to “services through common service centres and not about EPFO software or data centre”.

“No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks”.