Sensitive UAN data exposed online claimed Security researcher
A Ukrainian security researcher has claimed on Wednesday, August 3, 2022 that data belonging to Indian pension fund has been exposed online. As per the security researcher, exposed information is UAN data of more than 10 million Indian pensioners who have account in this portal.
Volodymyr “Bob” Diachenko, who is security researcher and also owns an information security related blog names as SecurityDiscovery.com claimed on Wednesday that he identified 2 public IPs with passwordless Elasticsearch clusters containing indices called “UAN” which means Universal Account Number allotted to pension fund holders of Indians states by Employees’ Provident Fund Organization (EPFO) India.
See more: One more phishing campaign: The Organization’s Landing Page
Post digging into details he found that First IP with Elasticsearch cluster contained 280,472,941 records and the other IP contained 8,390,524 records.
In a tweet writing to the Indian computer emergency response team(CERT-In), Diachenko tweeted:
[BREACH ALERT] 280M+ records in this Indian database, publicly exposed. Where to report?@IndianCERT?
The tweet was containing exposed data however PII(Personal Identifiable Information) data were hidden. Both IPs were taken down after posting his tweet in less than a day and these IPs are now inaccessible.
See more: Paytm mall denied of any data breach of 3.4 million customers
The said exposed data consists of personal information of employees such as their name, marital status, age, gender, date of birth, date of registration, bank name, IFSC code, account number etc.
As per the researcher it wasn’t clear who was responsible for the exposed data that was exposed online for more than 2, 3 days. It is also not clear if anyone else might have the same data. In case this data goes to wrong hands, this might be used to perform targeted online cyber-attacks such as phishing.
See more : Another security breach surfaced- This time it is Policybazaar
In 2018, the Central Provident Fund Commissioner purportedly updated to the relevant department that adversaries were able to steal data of approximate 2.7 crores individuals from the Aadhaar seeding portal of the EPFO site anyway it’s still not confirmed if the breach really occurred or not.
Follow on Facebook: Latest Hacking Updates
