THE government’s Common Service Centres (CSCs) scheme, which employs rural entrepreneurs to offer a slew of digital services to those in the hinterlands, has come under the scanner for the second time in four months with the Aadhaar-seeding portal built for Employees’ Provident Fund Organisation (EPFO) being suspended after suspected security-related “vulnerabilities”.
A subsequent disabling of the portal, aadhaar.epfoservices.com, due to security concerns has impacted the process of Aadhaar authentication for the “Jeevan Pramaan” or life certification scheme for pensioners in rural areas where post offices are the only other option for availing this service. This comes close on the heels of a controversy earlier this year where CSC village-level entrepreneurs (VLEs) allegedly gained illegal access to UIDAI data to provide Aadhaar services to people for a charge.
The Aadhaar-seeding portal for EPFO was built by CSC e-Governance Services India Ltd, a special purpose vehicle set up by the Ministry of Electronics and Information Technology to oversee implementation of the CSC scheme, under which there are over 1.70 lakh service centres that are sometimes the only sources of digital services such as seeding of Aadhaar with various instruments in many villages.
Even as the portal has been suspended, the three agencies involved with the process, EPFO, CSC and UIDAI, have denied any theft of data. According to the EPFO, CSC services are limited to seeding of Aadhaar with Jeevan Pramaan — the biometric enabled digital service for pensioners of the EPFO. On March 22, the Intelligence Bureau, in a note, flagged the issue to Ministry of Labour and Employment, following which EPFO’s Central Provident Fund Commissioner V P Joy wrote to CSC CEO Dinesh Tyagi on March 23 pointing out the vulnerabilities in the seeding website, aadhaar.epfoservices.com.
When contacted, Joy told The Indian Express that the suspected data leak “did not happen on the server or software run by EPFO” but “on the CSC software”, following which the CSC services were curtailed on March 22.
But Dinesh Tyagi, CEO of CSC, denied any role in the reported breach and said that the concerned application is on the EPFO server and that the CSCs did not have anything to do with the incident. Joy, in the March 23 letter, had said, “…it has been intimated that the data has been stolen by hackers by exploiting vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of EPFO which are (i) strut vulnerability and (ii) backdoor shells”.
He requested Tyagi to immediately deploy an “expert technical team” to plug the breach. “Strut vulnerability” indicates loopholes associated with Apache Struts, a software toolkit for creating Java-based web applications (the nature of the vulnerability was not detailed in the letter). A “backdoor shell” is a piece of code that can be uploaded to a site or a web page to gain access to files stored on that site. On Wednesday, the EPFO said that the news is related to “the services through common service centres and not about EPFO Software or data centre”.
“…No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks,” the EPFO said. On the letter sent to him by EPFO’s Joy, Tyagi said, “The letter was sent to us but this was basically saying that somebody has pointed out vulnerabilities in the system, so, therefore we are disabling this service and kindly look into it. This application was audited by an auditor, by a security audit. They have not pointed out anything specific, we are looking to find out if some vulnerability is there or not. We are getting another auditor to audit it.”
The UIDAI, which is the nodal agency for the Aadhaar project, said: “The said website does not belong to UIDAI in any manner whatsoever. This matter does not pertain at all to any Aadhaar data breach from UIDAI servers. There is absolutely no breach into Aadhaar database of UIDAI. Aadhaar data remains safe and secure.”