Services pertaining to Aadhaar-seeding with PF accounts done by Common Service Centre (CSC) have been suspended "pending vulnerability checks", retirement fund body EPFO said on Wednesday, but maintained that there was no data leakage.
The statement from the EPFO came amid reports of a letter purportedly written by EPFO Central Provident Fund Commissioner VP Joy to CSC's CEO, Dinesh Tyagi on March 23 flagging the data theft issue. While announcing the suspension of CSC services, the EPFO said, "Warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through the CSC have been discontinued from March 22, 2018."
The EPFO said there is nothing to be concerned about and that all necessary measures are being taken to ensure that no data leakage takes place.
"No confirmed data leakage has been established or observed so far. As part of the data security and protection, the EPFO has taken advance action by closing the server and host service through the CSC pending vulnerability checks," it said in a statement.
The retirement fund body's statement came after reports had suggested theft of data of subscribers by hackers from 'aadhaar.epfoservices.com', a website operated by the CSC that comes under the Ministry of Electronics and IT.
The issue of data theft was purportedly raised by Joy in his letter dated March 23. "... it has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO...,"the purported letter had said.
The retirement fund body has been seeding Aadhaar with Universal Account (PF) numbers of its subscribers to improve delivery of services. It has planned to go paperless by August this year and then all its services would be provided online. Separately, Aadhaar-issuing body, Unique Identification Authority of India (UIDAI) clarified that there is no data compromise from its servers, and asserted that the Aadhaar database "remains safe and secure".
Asked about EPFO's chief's letter to CSC CEO, a top IT ministry official said that since vulnerability has been flagged, the ministry would take action to plug the gaps in case they exist. "We will have it looked at. A vulnerability has been pointed out, and so we will (undertake) the exercise to plug the vulnerability, if it is there," said the official who did not wish to be named.
When contacted by PTI, CSC CEO Dinesh Tyagi emphasised that while the said application had been designed by the CSC, it is now hosted on EPFO data centres and servers. "It is now fully under EPFO's control... the (Web) application has also been security audited by an empanelled auditor. But since the vulnerability has been pointed out, we are getting it audited by another auditor, and will send the report to the EPFO," Tyagi said.
The report of the data leak and alleged data vulnerability comes at a time when a Constitutional bench of the Supreme Court is hearing a clutch of petitions challenging the Aadhaar Act and the use of biometric identifier in various government and non-government services.