A huge amount of data containing full name, bank account number and information about the nominees of pension fund holders in India has surfaced online.
Security Investigator Bob Diachenko found two separate IP addresses with more than 288 million records – with about 280 million records available under one IP address and about 8.4 million were part of the second IP address. Both IP addresses made the data public on the Internet, but were not protected by passwords, the researcher said said.
The records were part of cluster indices titled “UAN,” which apparently refers to the universal account number assigned to pension fund holders by the state-owned Employees’ Provident Fund Organization (EPFO) in the country.
“From what I understood, information from the database could have been used to compile a complete profile of an Indian citizen and make them a target for a phishing or scam attack,” Diachenko told londonbusinessblog.com.
Each record contained individuals’ personal information, including their marital status, gender, and date of birth. There was also data mainly related to their pension fund accounts, including the UAN, bank account number and employment status.
Aside from leaking the personally identifiable information (PII) of individuals with retirement fund accounts, the records revealed details of their nominees. These include their full name and relationship with the account holders.
Diachenko discovered earlier this week that the IP addresses were leaking the sensitive data. He tweeted a screenshot on Wednesday showing the data fields revealing personal information, in addition to tagging the Indian Computer Emergency Response Team (CERT-In). Less than a day after posting his tweet, both IP addresses in question were no longer accessible.
But Diachenko said it was not clear who should claim responsibility for the exposed data that surfaced online. It is also unclear whether anyone other than Diachenko also found the exposed data.
londonbusinessblog.com contacted India’s EPFO, CERT-In and the country’s IT ministry for comment, but we haven’t heard anything back.
In 2018, the Central Provident Fund Commissioner reportedly aware the IT ministry that hackers could steal data from the Aadhaar seeding portal of the EPFO website. That incident had jeopardized the information of some 27 million pension fund participants. However, the pension fund body later claimed in the file, but provided no evidence, that there was: no data leaks from his side.