EPFO-Aadhaar seeding data breach row: EPFO Central Provident Fund Commissioner V P Joy has written a letter to CSC's CEO, Dinesh Tyagi, on March 23, flagging the issue of data theft.
Employment Provident Fund Organisation (EPFO) on Wednesday suspended the service of Common Service Centre (CSC) amid reports of a data breach in Aadhaar-seeding with PF accounts. Subsequently, the website, aadhaar.epfoservices.com, used to link Aadhar with EPFO, was also shut by the department.
Earlier, it was reported that EPFO Central Provident Fund Commissioner V P Joy has written a letter to CSC’s CEO, Dinesh Tyagi, on March 23, flagging the issue of data theft.
The EPFO, while announcing the services of CSC, said that the warnings regarding vulnerabilities in data or software is a ‘routine administrative process’. It further said that the services of CSC were discontinued from March 22 on the basis of vulnerabilities recorded in the process.
The pension body assured that there is nothing to be concerned about and that all necessary measures are being taken to ensure that no data leakage takes place.
The statement issued by the EPFO said that “no confirmed data leakage has been established or observed so far.” It added that the closing of server and host service through the CSC pending vulnerability checks has come up as an advance measure to avoid the data breach.
The EPFO statement came after reports suggested theft of data of subscribers by hackers from ‘aadhaar.epfoservices.com’, a website operated by the CSC that comes under the Ministry of Electronics and IT. The issue of data theft was purportedly raised by VP Joy in his letter dated March 23. “… it has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO…,” the letter said, as per PTI.
Speaking to The Indian Express, Joy said that the suspected data leak “did not happen on the server or software run by EPFO” but “on the CSC software”, following which the CSC services were curtailed on March 22.
The EPFO has been seeding Aadhaar with Universal Account (PF) numbers of its subscribers with an aim to improve delivery of services. The retirement fund body planned to go paperless by August this year and then all its services would be provided online.
On the other hand, Unique Identification Authority of India (UIDAI), the body that control Aadhaar-related issues, clarified that there is no data compromise from its servers, and asserted that the Aadhaar database “remains safe and secure”.
Speaking to PTI, CSC CEO Dinesh Tyagi emphasised that application in question had been designed by the CSC, however, it is now hosted on EPFO data centres and servers.
“It is now fully under EPFO’s control… the (web) application has also been security audited by an empanelled auditor. But since the vulnerability has been pointed out, we are getting it audited by another auditor, and will send the report to the EPFO,” Tyagi was quoted as saying.
The report of the data leak and alleged data vulnerability gains significance as they come at a time when a Constitutional bench of the Supreme Court is hearing a number of petitions challenging the Aadhaar Act and the use of biometric identifier.