Tech News

Sensitive data of Indian pension fund holders exposed online – TechCrunch

A huge cache of data containing the full name, bank account number and nominee information of pension fund holders in India has surfaced online.

Security researcher Bob Diachenko found two separate IP addresses storing over 288 million records — with some 280 million records available under one IP address and about 8.4 million were a part of the second IP address. Both IP addresses were publicly exposing the data to the internet but were not protected by passwords, the researcher said.

The records were a part of cluster indices titled “UAN”, which apparently refers to the Universal Account Number allotted to pension fund holders by the state-owned Employees’ Provident Fund Organization (EPFO) in the country.

Related Articles

“From what I understood, information from the database could have been used to put together a complete profile of an Indian citizen and make them a target for a phishing or scamming attack,” Diachenko told TechCrunch.

Each record included personal information of individuals, including their marital status, gender and date of birth. There were also details mainly linked to their pension fund accounts, including the UAN, bank account number and employment status.

Apart from leaking the personally identifiable information (PII) of individuals holding pension fund accounts, the records exposed details of their nominees. These include their full name and relationship with the account holders.

Diachenko discovered the IP addresses leaking the sensitive data earlier this week. He tweeted a screenshot showing the data fields exposing personal information on Wednesday, alongside tagging India’s Computer Emergency Response Team (CERT-In). Less than a day after posting his tweet, both IP addresses in question were no longer accessible.

But Diachenko said it wasn’t clear who should claim responsibility for the exposed data that surfaced online. It is also unclear whether anyone other than Diachenko also found the exposed data.

TechCrunch reached out to India’s EPFO, CERT-In and the country’s IT ministry for comment, but we did not hear back.

In 2018, the Central Provident Fund Commissioner reportedly notified the IT ministry that hackers were able to steal data from the Aadhaar seeding portal of the EPFO website. That incident had put the information of about 27 million pension fund members at risk. However, the pension fund body later claimed on the record, but provided no evidence, that there was no data leakage from its side.



Photo of KSR

KSR

Hi there! I am the Founder of Cyber World Technologies. My skills include Android, Firebase, Python, PHP, and a lot more. If you have a project that you'd like me to work on, please let me know: contact@cyberworldtechnologies.co.in

Related Articles

Android 15 Could Include App Quarantine Feature to Protect Users From Malicious Apps: Report

April 18, 2024
tencent instantmesh 1713442543212

Tencent InstantMesh, an AI Model Capable of 3D Rendering Static Images Unveiled

April 18, 2024
iphone 7 held one hand 888650037

Pokémon Go players left fuming as new update has them demanding their money back

April 18, 2024
Screen Skinz

Screen Skinz raises $1.5 million seed to create custom screen protectors

April 18, 2024
Back to top button