A huge cache of data containing the full name, bank account number and applicant information of pension fund holders in India has surfaced online.
security researcher Bob Diachenko found two separate IP addresses storing over 288 million records – with some 280 million records available under one IP address and around 8.4 million part of the second IP address. Both IP addresses publicly exposed the data to the Internet but were not protected by passwords, the researcher said.
The records were part of cluster indicia titled “UAN”, which apparently refers to the universal account number assigned to pension fund holders by the country’s Employees Provident Fund Organization (EPFO).
“My understanding is that the database information could have been used to build a complete profile of an Indian citizen and make them the target of a phishing or scam attack,” said Diachenko told TechCrunch.
Each file included personal information about the individuals, including their marital status, gender and date of birth. There were also details mostly related to their pension fund accounts, including UAN, bank account number and employment status.
Besides leaking the personally identifiable information (PII) of people holding pension fund accounts, the records revealed details about their applicants. These include their full name and relationship to account holders.
Diachenko discovered the IP addresses leaking the sensitive data earlier this week. He tweeted a screenshot on Wednesday showing the data fields exposing personal information, as well as the India Computer Emergency Response Team (CERT-In) marking. Less than a day after posting his tweet, the two IP addresses in question were no longer accessible.
But Diachenko said it was unclear who should claim responsibility for exposed data that surfaced online. It is also unclear whether anyone other than Diachenko found the exposed data.
TechCrunch reached out to India’s EPFO, CERT-In, and the country’s IT ministry for comment, but received no response.
In 2018, the Central Commissioner of the Provident Fund would have notified the Ministry of IT that hackers were able to steal data from the Aadhaar bootstrap portal of the EPFO website. This incident endangered the information of approximately 27 million pension fund members. However, the pension fund body later publicly stated, but without providing evidence, that there was no data leak on its part.