Security breach exposes sensitive data on Indian State of Rajasthan’s key Government welfare portal

A security breach on a key Government portal of the Indian state of Rajasthan,  exposed the sensitive documents and personal information of millions of residents, raising serious concerns about data protection at a state level in India. The vulnerability, discovered by security researcher Viktor Markopoulos, affected the Jan Aadhaar portal, a program that provides a single identifier for accessing government welfare schemes.

These vulnerabilities disclosed copies of Aadhaar cards, birth and marriage certificates, electricity bills, and income statements related to registrants. Personal information such as date of birth, gender, and father’s name was also exposed. This sensitive information could be misused for identity theft, financial fraud, or other malicious activities.

Aadhaar is a 12-digit identification number that is assigned to all residents of India based on their biometric and demographic data. The primary objective of Aadhaar is to simplify administrative processes, such as accessing government subsidies, filing taxes, and verifying identity. By providing a unique identification number, Aadhaar aims to streamline these processes, reduce fraud, and increase efficiency.

Markopoulos, working with cybersecurity firm, identified two critical bugs in the Jan Aadhaar portal in December 2023. One bug allowed anyone to access personal documents simply by knowing a registrant’s phone number. The other flaw allowed attackers to retrieve sensitive data by exploiting weaknesses in the system’s one-time password verification process.

Despite reporting the vulnerabilities to the Jan Aadhaar Authority in December, Markopoulos received no response. After waiting a week, he decided to report the issue to the Indian Computer Emergency Response Team (CERT-In) for further assistance. according to a report by TechCrunch.


Read Also