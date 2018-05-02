Tech News : NDTV Gadgets360.com

EPFO Data Reportedly Stolen via Its Aadhaar Seeding Service, EPFO Denies Reports

 
, 02 May 2018
EPFO Data Reportedly Stolen via Its Aadhaar Seeding Service, EPFO Denies Reports

Highlights

  • The EPFO data was reported in a leaked letter dated March 23
  • EPFO denies any data theft, and says the letter was routine
  • Services were apparently shut down on March 22

Employees Provident Fund Organisation (EPFO) data has reportedly been stolen by hackers, according to a leaked letter sent by Dr. V. P. Joy, the Central Provident Fund Commissioner, to the Dinesh Tyagi, CEO of the Common Service Center (CSC) at the Ministry of Electronics and Information Technology (MeitY) that was shared by two Twitter users. The leaked letter states the data theft took advantage of vulnerabilities on the aadhaar.epfoservices.com website, which is the Aadhaar Seeding Service for the EPFO and deployed on servers of the EPFO's National Data Centre. A separate press release by EPFO appears to deny any data theft, calling the closure of servers a routine exercise.

The leaked letter was sent by Dr. V. P. Joy on March 23, as seen in the tweets shared by @raydeep and @arvindgunasekar. The letter claims Dr. V. P. Joy was intimated by the Intelligence Bureau, which specified the aadhaar.epfoservices.com vulnerabilities were of two forms - strut vulnerability and backdoor shells. The IB also said that while the website is deployed on the EPFO's National Data Centre servers, the application on the server is remotely managed by the Common Service Centre (CSC) team. The tweets were first highlighted by Latestly.

Dr. V. P. Joy also notes in the leaked letter that till the aadhaar.epfoservices.com vulnerabilities - identified by IB as well as any others found by the MeitY team - are plugged, EPFO will stop the servers and any hosted services. It is uncertain what has happened in the interim.

The leaked letter also notes that the IB has recommended that the EPFO follow "best practices and guidelines for securing confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (VAPT) of the entire system from competent auditors and testers."

Separately, a press release issued by the EPFO on Tuesday claims reports citing the leaked letter are false. Appearing to confirm the existence of the letter from Dr. V. P. Joy to Tyagi, the press release claims the warnings regarding vulnerabilities were a "routine administrative process" based on which EPFO services rendered through the CSC were discontinued.

"No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks," the statement said, adding, "EPFO has been taking all necessary precautions and measures to ensure that no data leakage takes place and will continue to be vigilant about it in the future.

Further reading: EPFO, Internet, Employees Provident Fund Organisation, Hacking, Hack, CSC, MeitY, Common Services Centre, Aadhaar
