EPFO data breached in 2018 ‘repackaged’ by Chinese cyber agency, probe finds

On Monday, a big trove of information was leaked on Github as part of documents relating to Chinese cyber agencies – indicating that these agencies were either responsible for the initial breach, or acquired the compromised data after that, a senior government official said.

Following that, the Indian Computer Emergency Response Team (Cert-In) began an investigation on whether the data in these documents was new or collated from breaches in the past.

According to information that has been uploaded to Github, the leaked database claims to have information from across Indian institutions – both government and private. It claims to have data pertaining to the Employees’ Provident Fund Organisation (EPFO), data of users of BSNL, and information with companies including Air India and Reliance.

“Cert-In had carried out a preliminary probe into the claims and it appears that the EPFO data present in the documents is from 2018 when its systems were impacted,” a senior government official said.

EPFO’s CEO did not respond to a request for comment until publication.

At the time of the breach in 2018, a senior official of the EPFO had told this paper that the suspected data leak “did not happen on the server or software run by EPFO,” but “on the CSC software”. However, an official of the CSC had denied the claims and said that the concerned application was on the EPFO server and that the CSCs did not have anything to do with the incident.

“…No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks,” the EPFO had said at the time.

However, the Cert-In’s initial findings all but confirm that the EPFO system was indeed compromised in 2018.

Over the last few years, India has faced a barrage of cybersecurity-related incidents – most recently a high-profile attack on the systems of AIIMS Delhi in 2022– which pose a major challenge to New Delhi’s national security imperatives.

According to the 2023 India Threat Landscape Report by Singapore-based cybersecurity firm Cyfirma, India is the most targeted country globally, facing 13.7 per cent of all cyberattacks. The US is the second most targeted country, with 9.6 per cent of all attacks. Indonesia and China follow, with 9.3 per cent and 4.5 per cent of all attacks, respectively.

Recognising the need to strengthen the cybersecurity landscape of critical sectors in the country, the Centre has drawn up a policy recommending enterprises – especially those in critical sectors like banking, telecom, and energy – to use only security products and services developed in India, The Indian Express had earlier reported.

Called the National Cybersecurity Reference Framework (NCRF), the policy is an attempt to provide an implementable measure – with clear articulation of roles and responsibilities for cybersecurity – based on existing legislations, policies and guidelines.