A Security researcher named Volodymyr Diachenko aka Bob is claiming to have access to over 280m bank account records of Indian Citizens and warned that the data exposure could lead to an information disaster, if the Indian government led by Honorable Prime Minister Shri Narender Modi Ji doesn’t take it on a serious note.
Going deep into the details, Bob found two unsecured IP addresses during a routine research last week. And when he tried to gain access to the databases reflecting the IPs, he found two massive troves of data belonging to the populace of Indian Subcontinent.
One of that IPs had 280,472,980 records stored on it, while the other had 8,390,500 records.
Diachenko, who is the founder of SecurityDiscovery.com, claims the records contain personal information belonging to Universal Account Numbers (UANs) that EPFO assigns to each account holding individual. The information trove available on Azure reportedly contains IFSC codes, Aadhaar Card Numbers, employment details of the account holder, their income slabs, GST numbers, martial status and other personal information of their family members.
Bob offered a screenshot of the details that were accessible to him on the Elastic Search Cluster as proof and posted the same on Twitter and Facebook accounts. He alleged the server was left unsecured and was available as an open source info trove for some reason.
For those who are unaware of UAN, here’s a bit on it. UAN is a unique 12 digit number that is allotted to working employees who contribute to the Employees Provident Fund Organization (EPF). The Ministry of Labor and Employment and other government agencies authenticates the number such as the UIDAI of Aadhaar and Income Tax Department. And what’s concerning about the leak is that any hacker having tech expertise can use these details to create a virtual profile of an individual through which they can figure out the individual’s Aadhaar, and PAN related details to launch spear phishing and identity theft attacks.
Bob, the Chief of SecurityDiscovery.com, already sent a red alert to EPFO and CERT-in about the breach and learnt that the databases have been now secured completely with a foolproof password and a 2FA.
Till date, CSC e-Governance India LTD supervised and resolved EPFO’s software glitches. Previously, i.e. almost 4 years ago, EPFO was alerted by a security agency about a data breach that took place on a Aadhaar seeding portal that was supposed to be linked to the services of Employee provident fund servers and the blame was put on CSC Software.