A huge data cache containing the full name, bank account number and nominal information of pension fund holders in India has surfaced on the Internet.
Security Researcher Bob Diachenko found two separate IP addresses that store more than 288 million records – about 280 million records are available under one IP address and about 8.4 million are part of a second IP address. Both IP addresses publicly exposed data on the Internet but were not protected by passwords, researcher said.
The entries were part of a clustered index called “UAN”, which appears to refer to a universal account number allocated to pension fund holders by the state-run Workers Provident Fund Organization (EPFO) in the country.
“As far as I understand, information from the database could be used to compile a complete profile of an Indian citizen and turn him into a target for a phishing or scam attack,” Diachenko told TechCrunch.
Each entry included personal information about individuals, including their marital status, gender, and date of birth. There was also data mostly related to their pension fund accounts, including UAN, bank account number and employment status.
In addition to leaking personally identifiable information (PII) of persons holding pension fund accounts, details of their nominees were revealed in the records. These include their full name and relationship with account holders.
Earlier this week, Dyachenko discovered IP addresses that were leaking sensitive data. On Wednesday, he tweeted a screenshot showing data fields that reveal personal information and also tagged the Indian Computer Emergency Response Team (CERT-In). Less than a day after his tweet was posted, both IP addresses in question were no longer available.
But Dyachenko said it was not clear who should take responsibility for the disclosures that appeared online. It is also unclear if anyone other than Dyachenko found the disclosed data.
TechCrunch has reached out to India’s EPFO, CERT-In, and the country’s IT ministry for comment, but we haven’t received a response.
In 2018 Commissioner of the Central Reserve Fund reportedly notified The Ministry of Information Technology reported that hackers managed to steal data from EPFO’s Aadhaar giveaway portal. The incident compromised the information of some 27 million pension fund members. However, the pension fund authority later stated in the minutes, but did not provide evidence, that no data leak from my side.
Credit: techcrunch.com /