The website in question is for PM Kisan—a government scheme launched in 2018 to provide supplemental income to landholding Indian farmers. According to estimates from 2021, India is home to around 90 million to 150 million farmers. The 110 million farmers who have registered for the PM Kisan scheme receive 6000 rupees ($78) a year from the government to support their earnings. Atul Nair, the researcher who discovered the leak, said he reported the issue to the Indian Computer Emergency Response Team (CERT-In) in January. However, the agency only resolved the issue four months later.
PM Kisan’s Leaky Dashboard
The PM Kisan website includes a dashboard that provides statistics about the scheme. It features a state-wide breakdown of the number of beneficiaries and the total amount paid out in a financial year. This dashboard was the source of the leak. Nair said the dashboard had an unprotected endpoint that hackers could take advantage of to gain access to the Aadhaar details of all 110 million registered farmers by writing a basic script. Nair alerted CERT-In about the leak on January 29, but it was only addressed on May 28.
What is Aadhaar?
Aadhaar is India’s unique identification system. Every Aadhaar card contains a unique 12-digit number. While this number is not exactly secret, it’s treated somewhat like people do their social security number in the United States. Aadhaar makes it easy to authenticate a person’s identity and allows them to access different services. An Aadhaar card is required to open a bank account and get a new phone number. It is one of the most widely accepted identification cards to show proof of residence. To register for the PM Kisan scheme, farmers are required to submit a copy of their Aadhaar cards. Aadhaar cards are highly valuable to cybercriminals. Access to a victim’s Aadhaar card and mobile number is all a malicious actor needs to carry out identity theft and related cybercrimes. The Indian government has issued several notices to warn about potential Aadhaar scams.
Concerns Around Centralized Data Storage
The Aadhaar leak raises questions about India’s cybersecurity defenses, and how the country responds to potential data breaches. Cybersecurity experts have questioned why an official government website stored sensitive data in such a highly unsecured manner, and why it took so long for the leak to be resolved. While announcing its plan to shut down its servers in India earlier this month, Surfshark highlighted the dangers of collecting sensitive information without appropriate protection mechanisms. Data breaches of this nature usually have adverse short-term and long-term effects on victims. Cybercriminals can sell user data on the dark web or use it to carry out cybercrimes like fraud, phishing, and identity theft. Fraud is a major issue that security agencies across the world continue to grapple with. If you’re interested in learning about how nations are dealing with this issue, check out our article about online fraud.
