EPFO Suspends Services Through CSC; Says No Data Leakage

After reports of personal and professional data of about 2.7 crore people registered with the Employees Provident Fund Organisation (EPFO) being exposed to data theft, retirement fund body EPFO maintained that there was no data leakage.

“Services pertaining to Aadhaar-seeding with PF accounts done by Common Service Centre (CSC) have been suspended "pending vulnerability checks", EPFO said.

The statement from the EPFO came amid reports of a letter purportedly written by EPFO Central Provident Fund Commissioner V P Joy to CSC's CEO, Dinesh Tyagi on 23 March flagging the data theft issue.

While announcing the suspension of CSC services, the EPFO said, "Warnings regarding vulnerabilities in data or software is a routine administrative process based on which the services which were rendered through the CSC have been discontinued from 22 March 2018".

"No confirmed data leakage has been established or observed so far. As part of the data security and protection, the EPFO has taken advance action by closing the server and host service through the CSC pending vulnerability checks", it said in a statement.

The retirement fund body's statement came after reports had suggested theft of data of subscribers by hackers from 'aadhaar.epfoservices.com', a website operated by the CSC that comes under the Ministry of Electronics and IT.

The issue of data theft was purportedly raised by Joy in his letter dated 23 March.

"... it has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO...," the purported letter had said.

Separately, Aadhaar-issuing body, Unique Identification Authority of India (UIDAI) clarified that there is no data compromise from its servers, and asserted that the Aadhaar database "remains safe and secure".

Asked about EPFO's chief's letter to CSC CEO, a top IT ministry official said that since vulnerability has been flagged, the ministry would take action to plug the gaps in case they exist.

"We will have it looked at. A vulnerability has been pointed out, and so we will (undertake) the exercise to plug the vulnerability, if it is there," said the official who did not wish to be named.

When contacted by PTI, Tyagi emphasised that while the said application had been designed by the CSC, it is now hosted on EPFO data centres and servers.

The report of the data leak and alleged data vulnerability comes at a time when a Constitutional bench of the Supreme Court is hearing a clutch of petitions challenging the Aadhaar Act and the use of biometric identifier in various government and non-government services.

(With inputs from NDTV.)

(The Quint is now on WhatsApp. To receive handpicked stories on topics you care about, subscribe to our WhatsApp services. Just go to TheQuint.com/WhatsApp and hit send.)