A huge cache of data containing the full name, bank account number and nominee information of pension fund holders in India has surfaced online.
Security researcher Bob Diachenko found two separate IP addresses storing more than 288 million records — with some 280 million records available under one IP address and about 8.4 million a part of the second IP address. Both IP addresses were publicly exposing the data to the internet but were not protected by passwords, the researcher said.
The records were a part of cluster indices titled “UAN”, which apparently refers to the Universal Account Number allotted to pension fund holders by the state-owned Employees’ Provident Fund Organization (EPFO) in the country.
“From what I understood, information from the database could have been used to put together a complete profile of an Indian citizen and make them a target for a phishing or scamming attack,” Diachenko told TechCrunch.
Each record included personal information of individuals, including their marital status, gender and date of birth. There were also details mainly linked to their pension fund accounts, including the UAN, bank account number and employment status.
Apart from leaking the personally identifiable information (PII) of individuals holding pension fund accounts, the records exposed details of their nominees. These include their full name and relationship with the account holders.
Diachenko discovered the IP addresses leaking the sensitive data earlier this week. He tweeted on Wednesday a screenshot showing the data fields exposing personal information, alongside tagging India’s Computer Emergency Response Team (CERT-In). Less than a day after posting his tweet, both IP addresses in question were no longer accessible.
But Diachenko said it wasn’t clear who should claim responsibility for the exposed data that surfaced online. It is also unclear whether anyone other than Diachenko found the exposed data.
TechCrunch reached out to India’s EPFO, CERT-In and the country’s IT ministry for comment, but did not hear back.
In 2018, the Central Provident Fund Commissioner reportedly notified the IT ministry that hackers were able to steal data from the Aadhaar seeding portal of the EPFO website. That incident put the information of about 27 million pension fund members at risk. However, the pension fund body later claimed on the record, but provided no evidence, that there was no data leakage from its side.