Data breach forces EPFO to suspend Aadhaar-seeding services

BS reports the Intelligence Bureau (IB) informed the Labor and Employment Ministry about the data theft last month.

Hackers "exploit(ed) the vulnerabilities prevailing in the EPFO website (aadhaar.epfoservices.com)," central provident fund commissioner VP Joy wrote to Dinesh Tyagi, CEO at Common Service Centre (CSC), manager of the website's server, on March 23.

The EPFO shut down the website, urging CSC to secure confidential data.

The IB mentioned two vulnerabilities in the portal. Backdoor shell is when hackers gain access to the front-end of a service through the back-end, meaning "they could get administrative privileges and manipulate systems," a security-researcher explained.

Meanwhile, Apache Struts is a Java-based platform used to develop web applications.

Breach in struts means "(hackers) could remotely run code on machines at EPFO without much difficulty."

The EPFO has put the responsibility on the CSC, insisting "the news (of the breach) is relating to the services through CSC and not EPFO Software or data center."

"No confirmed data leakage has been established or observed so far."

"As part of data security and protection, EPFO has taken advance action by closing the server and host service through CSC pending vulnerability checks."