A Ukraine-based cybersecurity researcher and journalist, Bob Diachenko, has claimed that about 28.8 crore personal records of the holders of Employees’ Pension Scheme (EPS) in the Employees’ Provident Fund Organisation (EPFO) were leaked online before being taken off the Internet. The records contained the full name, bank account number, and nominee information.
The security researcher’s claims about the data exposed online were verified by the EPFO, national cyber agency CERT-In, and the IT Ministry. Cyber threat intelligence director at securitydiscovery.com, Bob Diachenko, claimed that their systems identified two separate IPs with Universal Account Number (UAN) data.
Universal Account Number (UAN) is an integral part of the Indian government registry and is allotted by EPFO. Each record of the provident fund account holder contained personal information, such as marital status, gender, date of birth, and employment status.
280 million records were exposed under one IP address, and the other IP address contained about 8.4 million data records that were publicly exposed, claimed Bob Diachenko.
Given the scale and noticeable sensitivity of the data, the researcher decided to tweet about it without giving any detail about the source and associated info. Within 12 hours after the tweet, both IPs were taken down and are now unavailable. The IANS report mentioned that both the IPs have now been removed from the public domain.