Was provident fund data of 2.7 crore subscribers hacked?

The EPFO has officially denied the hacking even though the Central Provident Fund Commissioner has taken up the matter with the Ministry of Electronics and Information Technology 

If data is the new oil, then India must rank high on the list of those mining for this valuable resource. With no effective cyber laws in place and a poorly secured national identity database called Aadhaar, this country’s digital databases are likely low hanging fruits ready for picking. And the mandatory seeding or linking of Aadhaar to over 100 services, including banking, insurance and welfare schemes, has ensured that personal data can be breached at several points.

There have been several shocking reports of data thefts periodically since 2017. The latest came to light in the first week of May with the revelation that confidential data of 2.7 crore subscribers of the Employees’ Provident Fund Organisation (EPFO) may well have been hacked this March. While the EPFO has denied a data breach, the fact that it temporarily shut down a website (aadhaar.epfoservices.com), which links Aadhaar numbers of subscribers with their pension accounts, shows that the hackers may have entered the network. The website in question continues to remain disabled as of May 8 2017.

The site had confidential data including Aadhaar and Permanent Account Numbers (PAN) of subscribers, their source of income/salary as well as details of family members. This information, according to experts, can either be sold or used with criminal intent. Crimes that follow data theft are not committed immediately after a security breach. Cyber criminals are known to be patient and strike when least expected.

A not-so-secret note
The cyber security threat in EPFO would not have come to public notice but for an official note marked “Secret” being leaked on Twitter. Dated March 23, the note (see image below), signed by VP Joy, Central Provident Fund Commissioner (CPFC) is addressed to Dinesh Tyagi, CEO of the Common Service Centre (CSC), a department under the Ministry of Electronics and Information Technology, which manages the EPFO’s website.

In the opening para of his note, Joy writes about a tip-off from the Intelligence Bureau (IB). “It has been intimated that data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO.” The note then goes on to state that, “The IB has advised to adhere to best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability Assessment and Penetration Testing (CAPT) of the entire System from competent auditors and testers.”

The vulnerable areas referred to in the note are “Struts” and “Backdoor Shells”. The former is Apache Struts, a popular open-source framework used to build websites. Once it is compromised, an attacker can connect to the database server and extract data with ease. ‘Backdoor Shells’ refers to a malicious code that can be uploaded to a site to gain access to files and administer them. As a result, once the code enters a site, a hacker can use it to edit, delete or download any files on the site or upload their own.

That the EPFO was alarmed by the situation is reflected in the Central Provident Fund Commissioner pointing out in his note that his organisation was disabling the servers till vulnerabilities are rectified. “You are requested to deploy immediately your expert Technical Team in order to plug in the identified as well as other vulnerabilities, if any, in the aadhaar.epfoservices.com along with implementing other suggestions of IB. Till the time, we have stopped the servers and discontinued hosted services.”

Central Provident Fund Commissioner VP Joy’s 23 March note to Dinesh Tyagi, the chief executive of Common Service Centre, Ministry of Electronics and Information Technology

In denial mode
The EPFO has not denied the March 23 note written by its Commissioner to the CSC chief executive. It only said that it was “surprised” about it being leaked. However, on May 2, the Organisation issued a press statement in which it downplayed the breach of data. “Warnings regarding vulnerabilities in data or software is a routine administrative process,” the statement said, adding that no “confirmed data leakage has been established or observed so far”. It did confirm that services on the website had been “discontinued” as of March 22 as a precautionary measure.

This was as ambiguous as it could get. According to sources in EPFO, the note added to the confusion among subscribers because the denial was not absolute and ran counter to Commissioner Joy’s assertion in his note stating that the site had been hacked. The Unique Identification Authority of India (UIDAI), which started Aadhaar, did not help matters either when it distanced itself from news of the hacking. “This matter does not pertain at all to any Aadhaar breach from UIDAI servers. There is absolutely no breach into Aadhaar database of UIDAI. Aadhaar data remains safe and secure,” it said. It is another matter that along with the EPFO data hacked were Aadhaar details of subscribers.

The only positive from the episode is that the EPFO responded immediately to the IB alert and shut down its server. It was also quick to inform the CSC, which manages the EPFO website. However, the fact that vulnerabilities in aadhaar.epfoservices.com have not been rectified well over a month after it was forced to shut down reflects the serious nature of the breach and/or the technical limitations of the CSC.

Interestingly, it was only a few months ago that EPFO’s exhaustive and confidential database found its way to two non-government researchers. When the planning body, Niti Aayog, commissioned a study on employment in the country in October 2017, it accessed the EPFO’s complete database, according to security expert Anivar Anand. This was subsequently passed by the planning body to two private researchers who conducted the study. The EPFO was reportedly not in the know that its data was being passed on to non-government researchers.

In a related development, security concerns over Aadhaar have prompted Mozilla.org, the makers of the Firefox browser, to issue a statement on May 1 on the gravity of the issue. “Mozilla has long argued that the Aadhaar lacks critical safeguards. With the demographic data reportedly compromised, it is hard to see how Aadhaar can be trusted for authentication. Access to myriad vital public and private services which require Aadhaar for more than a billion Indians is now at risk,” says the statement. It urged UIDAI to close glaring security loopholes, and to “engage an independent firm to do a security audit of the Aadhaar”.

Despite several warnings from international experts about security and privacy issues involving Aadhaar, the government has been in denial mode. Reported instances of hacking and misuse of data have not deterred it from pursuing its policy of pushing Aadhaar as the most trusted ID authentication system in the country. And as things stand, no one can, with any certainty, say how much damage has been inflicted by the EPFO hacking since data is not physically stolen. It is simply copied and misused later.

Aadhaar verdict whittles down Modi’s Digital India ambition
The temple door is now open, but how many knocks did it take?
‘Shocking that finance minister is working towards restoring access of private parties to Aadhaar’
Editor’s Pick More