According to a security researcher, the PM-Kisan website was leaking the Aadhaar data of more than 110 million farmers
Atul Nair in a post said that the dashboard feature in the PM-Kisan portal has an endpoint that has revealed the Aadhaar numbers of all the beneficiaries based on region. The data can be easily used by a hacker with a few tweaks in the basic script of the portal.
Nair, who is volunteering at the Kerala Police Cyberdome per his LinkedIn, told that he was able to get a small sample of information of exposed data of farmers and the Aadhaar numbers connected with them on the PM-Kisan website. He also gave the data to TechCrunch which claims to have confirmed the information as authentic by matching the leaked data with individual information through the PM-Kisan website’s finder tool.
Pradhan Mantri Kisan Samman Nidhi Yojana is a government scheme that provides financial help of Rs 6,000 per year to the farmers. For registration, it uses farmers’ Aadhaar data. Aadhaar card is a unique 12-digit number allotted to the citizens as part of the country’s identity database. It is often used to avail benefits of various government services. Though the 12-digit number is not private by nature, however, unauthorized access can leave details such as bank account details, residential addresses, and other vital data exposed & prone to hacking.
The post by Nair on Medium has screenshots of the script of the PM-Kisan portal that shows a section was leaking the Aadhaar data and the region from where a farmer comes from. He said the leak might have affected over 110 million farmers, i.e., the same as the total number of farmers enrolled with the scheme.
The researcher added that he informed the Indian Computer Emergency Response Team (CERT-In) regarding the leak on 29 January 2022. After 2 days, he got a response from the government agency in which he was given a reference number and told that his report was sent to the concerned authorities.
On February 26, the CERT-In told Nair that the concerned authority had still not confirmed fixing the susceptibility and that the issue had already been escalated “for appropriate action.” Later on, 28 May, Nair came to know that the issue was fixed and he informed CERT-In about the same. But did not disclose the exact date when the vulnerability was solved by the concerned authority CERT-In referred to in its responses. It is not clear if the Aadhaar data of beneficiaries were removed from the portal or if it was available as is during the period between January & May.
It is important to mention here that this is not the first time that the Aadhaar details have been leaked. In 2017, a report showed that more than 130 million Aadhaar numbers & banking details associated with them were leaked by several websites. Also in 2018, Aadhaar data of many individuals were on sale by people who claimed that they had access to the database.