Data breach forces EPFO to suspend Aadhaar-seeding services
New information has come to light about a data breach in the EPFO portal, which let subscribers link their Aadhaar to their Universal Account Number (UAN). As a precaution, Aadhaar-seeding services were discontinued on March 22. Though there's no official account of what information was stolen, reports say the leak affected employees' Aadhaar number, name, father's name, PAN, and employment details, among others.
The EPFO shut down the website once breach was discovered
BS reports the Intelligence Bureau (IB) informed the Labor and Employment Ministry about the data theft last month. Hackers "exploit(ed) the vulnerabilities prevailing in the EPFO website (aadhaar.epfoservices.com)," central provident fund commissioner VP Joy wrote to Dinesh Tyagi, CEO at Common Service Centre (CSC), manager of the website's server, on March 23. The EPFO shut down the website, urging CSC to secure confidential data.
Hackers exploited backdoor shells and strut vulnerability
The IB mentioned two vulnerabilities in the portal. Backdoor shell is when hackers gain access to the front-end of a service through the back-end, meaning "they could get administrative privileges and manipulate systems," a security-researcher explained. Meanwhile, Apache Struts is a Java-based platform used to develop web applications. Breach in struts means "(hackers) could remotely run code on machines at EPFO without much difficulty."
'There's nothing to be concerned about,' EPFO insists
The EPFO has put the responsibility on the CSC, insisting "the news (of the breach) is relating to the services through CSC and not EPFO Software or data center." "No confirmed data leakage has been established or observed so far." "As part of data security and protection, EPFO has taken advance action by closing the server and host service through CSC pending vulnerability checks."
Currently, Aadhaar-seeding being done through other modes
For now, Aadhaar-seeding is ongoing through other modes, like the government's mobile app Umang. The EPFO has issued 13cr UAN till now to formal sector workers; 3.45cr out of 4.7cr active PF accounts have been linked to Aadhaar.