EPFO data breach in 2018 linked to Chinese cyber agency, probe reveals

A data breach that affected the systems of the Employees' Provident Fund Organisation (EPFO) in 2018 and exposed the personal data of millions of Indians was found to have been "repackaged" by a Chinese cyber agency, a preliminary investigation by New Delhi's cybersecurity agency said.

However, when news of the purported breach initially surfaced in 2018, the EPFO denied that its systems were compromised, claiming that the vulnerability was exploited from systems of the Common Service Centre (CSC).

Meanwhile, on Monday, a considerable amount of information was leaked on GitHub as part of documents pertaining to Chinese cyber agencies, indicating that these agencies were either engaged in the initial hack or acquired the compromised data afterward, a senior government official told The Indian Express.

Following that, the Indian Computer Emergency Response Team (Cert-In) opened an investigation to ascertain whether the data in these documents was new or the result of earlier breaches.

According to the information posted on GitHub, the leaked database contains information from many Indian institutions, both government and private. It claims to contain data on the Employees' Provident Fund Organisation (EPFO), BSNL users, and information on firms like Air India and Reliance.

"Cert-In had carried out a preliminary probe into the claims, and it appears that the EPFO data present in the documents is from 2018 when its systems were impacted," a senior government official told The Indian Express.

At the time of the breach in 2018, a senior EPFO official stated that the alleged data leak occurred "on the CSC software" rather than "on the EPFO server or software." However, a CSC representative refuted the claims, stating that the concerned application was on the EPFO server and that the CSCs had nothing to do with the incident.

"No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks,” the EPFO had said.

However, the Cert-In's preliminary findings all but indicate that the EPFO system was infiltrated in 2018.

Over the past few years, India has witnessed a barrage of cybersecurity-related incidents, the most recent of which being a high-profile attack on AIIMS Delhi's systems in 2022, posing a significant challenge to New Delhi's national security imperatives.

According to the 2023 India Threat Landscape Report by Singapore-based cybersecurity firm Cyfirma, India is the most targeted country in the world, accounting for 13.7 per cent of all cyberattacks. The United States is the second most targeted country, accounting for 9.6 per cent of all attacks. Indonesia and China follow, accounting for 9.3 per cent and 4.5 per cent of all attacks, respectively.

Recognising the need to strengthen the cybersecurity landscape of the country's critical sectors, the Centre has developed a policy recommending that enterprises, particularly those in critical sectors such as banking, telecom, and energy, use only security products and services developed in India.

The policy, known as the National Cybersecurity Reference Framework (NCRF), aims to create an implementable measure—with clear articulation of cybersecurity tasks and responsibilities—based on existing legislation, policies, and guidelines.