You are here: Home » Economy & Policy » News
Business Standard

Is your bank account safe? Govt sites may have exposed 100 mn accounts

The estimated number of Aadhaar numbers leaked through 4 govt portals could be around 130-135 mn

TheWire staff 

aadhaar, PAN

Irresponsible information security practices by a major central ministry and a state may have exposed up to 135 million numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central and state departments.

A new report, released by the Centre for Internet and Society, studied four databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own portal and the online dashboard of a state scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of numbers leaked through these 4 portals could be around 130-135 million and the number of leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making functioning more transparent, the fact that granular details about individuals including sensitive PII such as number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download option on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Numbers for each area, district, and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the agency that manages the initiative, in the

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these databases are still leaking data. Over the last two months, some of the information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about leaks,” the report notes.

This article has been published by arrangement with thewire.in

RECOMMENDED FOR YOU

Is your bank account safe? Govt sites may have exposed 100 mn accounts

The estimated number of Aadhaar numbers leaked through 4 govt portals could be around 130-135 mn

The estimated number of Aadhaar numbers leaked through 4 govt portals could be around 130-135 mn
Irresponsible information security practices by a major central ministry and a state may have exposed up to 135 million numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central and state departments.

A new report, released by the Centre for Internet and Society, studied four databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own portal and the online dashboard of a state scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of numbers leaked through these 4 portals could be around 130-135 million and the number of leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making functioning more transparent, the fact that granular details about individuals including sensitive PII such as number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download option on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Numbers for each area, district, and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the agency that manages the initiative, in the

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these databases are still leaking data. Over the last two months, some of the information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about leaks,” the report notes.

This article has been published by arrangement with thewire.in
image
Business Standard
177 22

Is your bank account safe? Govt sites may have exposed 100 mn accounts

The estimated number of Aadhaar numbers leaked through 4 govt portals could be around 130-135 mn

Irresponsible information security practices by a major central ministry and a state may have exposed up to 135 million numbers, according to a new research report released on Monday.

The last two months have seen a wave of data leaks, mostly due improper information security practices, from various central and state departments.

A new report, released by the Centre for Internet and Society, studied four databases. The first two belong to the rural development ministry: the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act (NREGA)’s portal.

The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own portal and the online dashboard of a state scheme called “Chandranna Bima”.

“Based on the numbers available on the websites looked at, estimated number of numbers leaked through these 4 portals could be around 130-135 million and the number of leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.

The come, in part, from the government’s decision to provide online dashboards that were likely meant for general transparency and easy administration. However, as the report notes, while open data portals are a laudable goal, if there aren’t any proper safeguards, the results can be downright disastrous.

“While availability of aggregate information on the dashboard may play a role in making functioning more transparent, the fact that granular details about individuals including sensitive PII such as number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.

Consider the NSAP portal for instance. The dashboard allows users to explore a list of pensioners, whose personally identifiable information include bank account number, name and number. While these details are “masked for public view”, the CIS report points out that if “one of the URL query parameters of the website… was modified from ‘nologin’ to ‘login'”, it became easy to gain access to the unmasked details without a password.

“It is entirely unclear to us what the the purpose behind making available a data download option on the NSAP website is. This feature allows download of beneficiary details mentioned above such as Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Numbers for each area, district, and state,” the report states.

UIDAI role?

Kodali and Sinha also prominently finger the role of the Unique Identification Authority of India (UIDAI), the agency that manages the initiative, in the

“While the UIDAI has been involved in proactively pushing for other databases to get seeded with numbers, they take little responsibility in ensuring the security and privacy of such data.With countless databases seeded with numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” the report states.

Still public?

A crucial question that arises is whether these databases are still leaking data. Over the last two months, some of the information has been masked.

“It must be stated that since we began reviewing and documenting these portals, we have noticed that some of the pages with sensitive PII (personally identifiable information) have now been masked, presumably in response to growing reports about leaks,” the report notes.

This article has been published by arrangement with thewire.in

image
Business Standard
177 22