Government sources have confirmed that a vulnerability in a government-run website meant to assist employees link their provident fund accounts with their Aadhaar numbers was targeted by hackers who made off with an unknown amount of sensitive personal data.
The website, the source said, was leaking data for "a few weeks" before it was detected and taken offline. Authorities are still trying to ascertain the nature, and quantity, of the data obtained by the hackers.
The data breach came to light earlier today, when a secret note, sent by Employee Provident Fund Organisation (EPFO)'s Chief Provident Fund Commissioner V.P. Joy, surfaced on Twitter.
The note, marked "Secret" and dated 23 March 2018, was a rare instance of an attack on a vulnerable state data cache becoming public knowledge. The vulnerability was detected in the Aadhaar-seeding platform provided by the Common Services Centre (CSC) E-governance Services Ltd, a special purpose vehicle of MEITY.
EPFO is just one of many government departments that use this platform for Aadhaar-seeding various services. In February this year, the Unique Identification Authority of India (UIDAI) terminated its relationship with CSC, citing corruption and violations in the aadhaar-enrollment centres run by the company.
This security breach is the latest illustration of the vulnerabilities of India's ambitious e-governance push and, security analysts say, highlights the risks of the central government push to seed citizen aadhaar numbers in multiple state-maintained databases.
"It has been intimated that data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO," the March 23 letter said, adding that the attack had been first spotted by the Intelligence Bureau.
The website was since been taken down soon after the letter was sent, and is yet to come back online.
V.P. Joy, the Central Provident Fund Commissioner of the EPFO and author of the note, confirmed the authenticity of the letter in a phone call with HuffPost, but played down its significance.
"I am not aware of any data leak," Joy said. "We received a warning from the IB on March 22, and so I forwarded it to the relevant authorities the next day. This is a routine administrative matter."
A press release issued by his office, this afternoon, echoed Joy's comments, but seemingly contradicted his March 23 note. "No confirmed data leakage has been established or observed so far," the press release stated.
That the breach occurred from a portal seeding Aadhaar numbers with EPFO UAN numbers, suggests that the hackers are likely to have harvested some Aadhaar numbers. Thus far, the EPFO has linked 34.5 million out of a total of 47.1 million active provident fund accounts with Aadhaar according to news reports. But Joy was at pains to clarify that information about EPFO-Aadhaar linked accounts was maintained on a separate server, which was not compromised.
HuffPost has written to Dinesh Tyagi, CEO of the state-run Common Services Centre, and will update this copy with his comments once he replies.
The March 23 2018 refers to two specific vulnerabilities: "Strut vulnerabilities" and "Backdoor Shells."
While "backdoor shells" refer to the possibility of hackers gaining control of a portal's administrator privileges, Struts refers to "Apache Struts", a widely used Java application with an established history of vulnerabilities, the best of known which is the 2017 Equifax data breach which exposed the personal details of 143 American citizens.
In April this year, the Minister of State for Electronics and Information Technology K.J. Alphons, told the Rajya Sabha that the UIDAI had audited Equifax in the aftermath of the data breach.
"It is a known vulnerability," said security researcher Srinivas Kodali. "Had UIDAI audited EPFIO like they audited Equifax, they would have found it."
A similar vulnerability was exploited by French security researcher Robert Baptiste to penetrate the Telangana MNRega website.
On Twitter, where the letter was first posted, security analyst Kiran Jonnalagadda, said it was likely that the vulnerability was spotted by hackers trawling the internet for sites running an insecure version of Struts.
This story has been updated to reflect information passed on by government sources monitoring the data breach