As per the report by TechCrunch, the web system which was used for marking the attendance of government employees in Jharkhand was shockingly left with no security measure whatsoever since 2014. In simple words, there was no password check for the web system, therefore allowing anyone to access the name, job title and phone numbers of 166,000 government employees.
Furthermore, the uploaded image file of the employees used Aadhar number as file name, which is a confidential 12-digit number of each Indian citizen. These numbers aren’t strictly confidential but are treated similarly to social security numbers. These Aadhar numbers can be used to verify the identity of the owner in order to enroll in state services, like voting, welfare or financial assistance.
So it holds paramount importance for the Indian citizen and, unfortunately, for those 166,000 government employees their Aadhar number can now be used for malicious purposes. According to the security researcher, Robert Bapsite, the data on the website can be easily accessed with simple Python codes. Surprisingly, no one from the Jharkhand government or UIDAI commented on this security breach. Previously, The Tribune reported that sensitive data regarding the employees could be accessed by paying INR 500, UIDAI, however, denied the report. Fortunately for those Indian citizens, the central database (controlled by the Unique Identification Authority of India or UIDAI) hasn’t been affected by the incident to a great extent.
It’s still unclear why the Jharkhand government site had no security checks and was basically accessible to anyone who knew where to look. Sadly, little effort had been put in to ensure and implement a robust security system or to at least hide it from the outside world, which was evident from the fact that The Tribune reported the issue a while back but it was outrightly denied by the government.
This is somewhat similar to a data breach that occurred in Pakistan more than a year ago, where Punjab Information Technology Board was found responsible for exposing the privacy of thousands of Pakistani individuals. Basically, those with very basic computer knowledge could access the exposed directory. They could access and download/dump dozens of GBs of the private data that included personal information such as CNIC numbers, Front and Back of CNICs, Scanned copies of all the educational degrees, work experience, CVs and more. The main reason for this security breach as per PITB was a server upgrade which triggered a bug that resulted in the data breach.