PF-Aadhaar seeding portal hacked, EPFO refutes claim: All you need to know

EPFO shut down the website and stopped linking provident fund (PF) accounts with Aadhaar numbers after confidential data were stolen by hackers from the Aadhaar-seeding portal about a month earlier

Employees Provident Fund Organisation (EPFO) has apparently had to shut down the portal that it uses to for Aadhaar seeding with provident fund accounts of its subscribers following an alleged data breach where confidential user information was stolen by hackers.

The issue was purportedly raised by EPFO Central Provident Fund Commissioner V P Joy in a letter to Common Service Centre (CSC) Chief Executive Dinesh Tyagi on March 23. 

“The web portal has been closed one-and-a-half months ago, immediately after a possible data theft was reported to us during a process of routine security check. There was some problem in the application run by CSC and it is not related to our data centre that maintains the EPF accounts,” Joy told Business Standard on Wednesday.

Speaking to PTI, Tyagi said that while the said application had been designed by the CSC, it was now hosted on EPFO data centres and servers. The EPFO shut down the website on March 22, urging the CSC to secure the confidential data of employees.

The report comes at a time when Aadhaar is embroiled in data breach allegations while also being at the centre of India's privacy debate. The Supreme Court is hearing a clutch of petitions challenging the Aadhaar Act and the use of biometric identifier in various government and non-government services.

Here is all you need to know about the EPFO data leak: 

The basis of the EPFO data leak report: The reports of the possible data theft are based on a letter purportedly written by EPFO Central Provident Fund Commissioner V P Joy to CSC CEO Dinesh Tyagi on March 23 flagging the data theft issue. “It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities in the website (aadhaar.epfoservices.com) of EPFO,” Roy wrote in the letter.

The incident, according to an earlier report on Business Standard, came to light after the Intelligence Bureau (IB) informed the Labour and Employment Ministry in March about the data theft from the EPFO’s web portal.

What the EPFO said: EPFO on Wednesday said no confirmed data leakage had been established. "No confirmed data leakage has been established or observed so far. As part of the data security and protection, the EPFO has taken advance action by closing the server and host service through the CSC pending vulnerability checks," it said in a statement.

Why EPFO has suspended CSC services: While announcing the suspension of CSC services, the EPFO said the services were being discontinued on the basis of warnings regarding vulnerabilities in software. "Warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through the CSC have been discontinued from March 22, 2018," EPFO had said.

What the UIDAI said: The Unique Identification Authority of India (UIDAI), the Aadhaar-issuing body, said the matter does not pertains to any data breach from UIDAI server as the alleged data breach took place on a website that does not belongs to it.

“This matter does not pertain at all to any Aadhaar data breach from UIDAI servers,” it said in a press statement.

About the portal - aadhaar.epfoservices.com: The website, hosted at the National Data Centre for EPFO and managed by the CSC, used to help formal sector workers link their Aadhaar numbers with the EPFO’s universal account number (UAN) through CSC outlets. It also helped EPFO pensioners to submit their digital life certificates.