New Delhi: The repository of pension funds – the Employees Provident Fund Organisation – has reportedly ordered vulnerability checks in the backdrop of allegations that the personal and professional details of 2.7 crore members registered with it may have been exposed to data theft.
The allegations stem from a letter written by none other than the Central Provident Fund Commissioner to the Ministry of Electronics and Information Technology.
The gist of the letter, according to NDTV.com, is that hackers have stolen data from the Aadhaar seeding portal of EPFO.Details of the scale of the breach are not known but the website contains information like the names and addresses of EPF subscribers besides their employment history. Each person contributes a portion of his salary to provident fund, so salary details could also have been stolen. Also the bank account numbers, as people tend to withdraw their PF, said a cybersecurity expert, cited in an NDTV report.
According to the channel, in the letter marked “secret”, the commissioner wrote that the Intelligence Bureau had informed them of “hackers exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO.”
The commissioner has also asked the ministry’s technical team to plug loopholes in the portal aadhaar.epfoservices.com, which has been temporarily shut. The portal links the Aadhaar number of employees with their provident fund accounts.The retirement fund body has been seeding Aadhaar with PF numbers of its subscribers to improve delivery of services. When contacted, a senior IT ministry official told PTI that as certain vulnerabilities have been pointed out, the ministry will take action to plug the gaps, in case they exist.
The body that governs Aadhaar, UIDAI, has clarified that it has nothing to do with the alleged data breach from aadhaar.epfoservices.com. “This matter does not pertain at all to any Aadhaar data breach from UIDAI servers.
There is absolutely no breach in the Aadhaar database of UIDAI. Aadhaar data remains safe and secure,” it said. The EPFO, too, has ruled out any leakage of subscribers’ data. “Warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through the CCS website, which comes under the Ministry of Electronics and IT, have been discontinued from March 22, 2018,” said an EPFO statement after the report on data leak went viral.