The Employees' Provident Fund Organisation (EPFO) website is the latest government-run body to get caught in a data leak scare. The Aadhaar details of over 2 crore members of the EPFO, who had linked their PF accounts to their Aadhaar numbers, was reportedly stolen by hackers in March.
According to a report in Business Standard, confidential data of formal sector employees enrolled under the EPFO was stolen by hackers, forcing EPFO to temporarily shut the Aadhaar-seeding portal. The Labour and Employment Ministry was informed about the alleged data theft by the Intelligence Bureau (IB).
Meanwhile, the retirement fund body said it has discontinued Aadhaar-seeding portal services provided through Common Service Centre (CSC) "pending vulnerability checks" and ruled out any leakage of subscribers' data from a government website. CSC comes under the Ministry of Electronics and IT.
"Warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through CSC have been discontinued from March 22, 2018," said an EPFO statement issued after the report went viral. It said the report is related to the services through CSC and not about EPFO software or data centre.
"No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through CSC pending vulnerability checks," EPFO said.
It said there is nothing to be concerned about and EPFO has been taking all necessary measures to ensure that no data leakage takes place and will continue to be vigilant about it in the future.
The retirement fund body has been seeding Aadhaar with Universal Account Numbers of its subscribers to improve delivery of services. It has planned to go paperless by August this year. Thus, all its services would be provided online also.In a letter dated March 23, Central Provident Fund commissioner V P Joy had written to Dinesh Tyagi, Chief Executive Officer (CEO) at Common Service Centre (CSC) which is managing the website's server about the data leak by hackers 'by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO'. The letter, titled 'Secret', carried the following subject line: "Data Theft from ICT Infrastructure of Aadhaar Seeding Service for Employees' Provident Fund Organisation".
On the EPFO's web portal, employees have the option of linking their Aadhaar number with their provident fund accounts. The possible data leak from the website may include employees' Aadhaar number, name, date of birth, father's name, PAN, employment details, among others."The IB has advised adhering best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system from competent auditors and testers," the letter reportedly stated.
Of the over 5 crore EPFO members, as many as 2.75 crore had seeded their Aadhaar with their PF accounts. Last July, Aadhaar-seeding was made mandatory by EPFO for new subscribers.
The above-mentioned letter had further requested CSC to "immediately" deploy its "technical team in order to plug in the identified as well as other vulnerabilities if any" in the website. It added that EPFO had stopped the servers and discontinued hosting services till the matter could be resolved.
A senior IT ministry official said that as a vulnerability has been pointed out, the ministry will take action to plug the gaps, in case they exist, the PTI reported.
"We will have it looked at. A vulnerability has been pointed out, and so we will (undertake) the exercise to plug the vulnerability, if it is there," said the official who did not wish to be named.
With PTI inputs