Confidential data of formal sector employees enrolled under the Employees’ Provident Fund Organisation (EPFO) have been stolen by hackers, forcing it to temporarily shut the Aadhaar-seeding portal.
The Intelligence Bureau (IB) informed the Labour and Employment Ministry in March about the data theft from the EPFO’s web portal that links Aadhaar number of employees with their provident fund accounts. The possible data leak from the website includes employees' Aadhaar number, name, date of birth, father’s name, PAN, employment details, among others. However, the EPFO said it is still unaware of the nature of the data theft.
“It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO,” central provident fund commissioner V P Joy wrote in a letter dated March 23 to Dinesh Tyagi, chief executive officer (CEO) at Common Service Centre (CSC) which is managing the website’s server.
The EPFO has shut down the website, urging the CSC to secure the confidential data of employees and plug in the vulnerabilities, the letter stated. “The IB has advised adhering best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system from competent auditors and testers,” the letter stated.
The web portal, which has been hacked, provides facility to EPFO field offices and CSC centres to seed Aadhaar through e-know your customer (KYC) mode with the universal account number (UAN) allocated to employees.
“The service has been closed one-and-a-half months back immediately after the possible data theft was reported to us during a process of routine security check. There was some problem in the server of CSC and it is not related to our server,” Joy told Business Standard. He, however, said he is unaware of what confidential data of employees might have been stolen by the hackers.
In a statement issued on Wednesday, EPFO said: "“It is informed that warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through Common Service Centres have been discontinued w.e.f. 22nd March 2018. The news is relating to the services through common service centres and not about EPFO Software or data centre. No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks. As such, there is nothing to be concerned about.”
ALSO READ: Aadhaar not required for new mobile connection: Here's what you must knowi
According to sources, EPFO also clarified that Aadhaar-seeding of its subscribers was being done through other modes, such as the government's mobile application Umang.
The EPFO has issued 130 million UANs so far to formal sector workers. Till recently, it had linked 34.5 million out of a total of 47.1 million active provident fund accounts with Aadhaar.
The IB pointed to two vulnerabilities in the EPFO’s web portal – strut vulnerability and backdoor shells.
An independent security researcher who didn't want to be named explained the two vulnerabilities mentioned in the letter and said that both of these are serious violations and come under the highest grade of security breaches in public data systems.
“A shell is essentially the view or the terminal of a web service that you see on the screen and backdoor shell implies that someone got access to it through the back-end which means they could get administrative privileges and manipulate the systems,” he said.
This is not the first time that Apache Struts vulnerability has been exploited by hackers to get access to Aadhaar data. In March this year, it was reported that India Post database containing bank account details of employees and other sensitive customer information was exposed to hackers through the same vulnerability. A remote code execution was carried out on an India Post website where malware was found to have been injected by hackers even as the organisation insisted that there was no data loss.
Apache Struts is a Java-based platform which is used by organisations to develop web applications. The software had a big vulnerability in September 2017 that led to a loss of 200,000 credit card details from 140 million US customers through Equifax's servers. While the company quickly moved to fix this issue with an update, many entities didn't really install these updates on time, according to a security researcher.
“This was quickly fixed by the company through an update but it seems like people, in this case, didn't install the update on time and elements got access to the data through the stats interface. This means that they could remotely run code and programs on the machines at EPFO without too much difficulty," he said.
The Intelligence Bureau (IB) informed the Labour and Employment Ministry in March about the data theft from the EPFO’s web portal that links Aadhaar number of employees with their provident fund accounts. The possible data leak from the website includes employees' Aadhaar number, name, date of birth, father’s name, PAN, employment details, among others. However, the EPFO said it is still unaware of the nature of the data theft.
“It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO,” central provident fund commissioner V P Joy wrote in a letter dated March 23 to Dinesh Tyagi, chief executive officer (CEO) at Common Service Centre (CSC) which is managing the website’s server.
The EPFO has shut down the website, urging the CSC to secure the confidential data of employees and plug in the vulnerabilities, the letter stated. “The IB has advised adhering best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing (CAPT) of the entire system from competent auditors and testers,” the letter stated.
The web portal, which has been hacked, provides facility to EPFO field offices and CSC centres to seed Aadhaar through e-know your customer (KYC) mode with the universal account number (UAN) allocated to employees.
“The service has been closed one-and-a-half months back immediately after the possible data theft was reported to us during a process of routine security check. There was some problem in the server of CSC and it is not related to our server,” Joy told Business Standard. He, however, said he is unaware of what confidential data of employees might have been stolen by the hackers.
In a statement issued on Wednesday, EPFO said: "“It is informed that warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through Common Service Centres have been discontinued w.e.f. 22nd March 2018. The news is relating to the services through common service centres and not about EPFO Software or data centre. No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks. As such, there is nothing to be concerned about.”
ALSO READ: Aadhaar not required for new mobile connection: Here's what you must knowi
According to sources, EPFO also clarified that Aadhaar-seeding of its subscribers was being done through other modes, such as the government's mobile application Umang.
The EPFO has issued 130 million UANs so far to formal sector workers. Till recently, it had linked 34.5 million out of a total of 47.1 million active provident fund accounts with Aadhaar.
The IB pointed to two vulnerabilities in the EPFO’s web portal – strut vulnerability and backdoor shells.
An independent security researcher who didn't want to be named explained the two vulnerabilities mentioned in the letter and said that both of these are serious violations and come under the highest grade of security breaches in public data systems.
“A shell is essentially the view or the terminal of a web service that you see on the screen and backdoor shell implies that someone got access to it through the back-end which means they could get administrative privileges and manipulate the systems,” he said.
This is not the first time that Apache Struts vulnerability has been exploited by hackers to get access to Aadhaar data. In March this year, it was reported that India Post database containing bank account details of employees and other sensitive customer information was exposed to hackers through the same vulnerability. A remote code execution was carried out on an India Post website where malware was found to have been injected by hackers even as the organisation insisted that there was no data loss.
Apache Struts is a Java-based platform which is used by organisations to develop web applications. The software had a big vulnerability in September 2017 that led to a loss of 200,000 credit card details from 140 million US customers through Equifax's servers. While the company quickly moved to fix this issue with an update, many entities didn't really install these updates on time, according to a security researcher.
“This was quickly fixed by the company through an update but it seems like people, in this case, didn't install the update on time and elements got access to the data through the stats interface. This means that they could remotely run code and programs on the machines at EPFO without too much difficulty," he said.
No comments:
Post a Comment