The government has blocked websites that reportedly exposed sensitive information, including Aadhaar and PAN Card details of citizens. Reports suggested that at least two websites were leaking personal identifiable data, and both the Unique Identification Authority of India (UIDAI) and the Indian Computer Emergency Response Team (CERT-In) were looking into the issue.
“The Government of India is committed to have an open, safe & trusted and accountable internet. It has come to the notice of the Ministry of Electronics and Information Technology (MeitY) that some websites were exposing sensitive personal identifiable information including Aadhaar and PAN Card details of Indian citizens. This has been taken up seriously as the Government accords highest priority to safe cyber security practices and protection of personal data,” the IT ministry said in a statement.
Aadhaar data leak: Actions taken by UIDAI and CERT-In
The UIDAI lodged a complaint with the authorities concerned for violation of the prohibition under section 29(4) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 on public display of Aadhaar information.
Meanwhile, CERT-In analysed these websites and suggested some security flaws in these websites. The owners of these websites have been provided guidance about the actions to be taken at their end.
According to a report by Moneycontrol, two websites, Indian Aerospace and Engineering and The Star Kidz, were found to be leaking Aadhaar data. Indian Aerospace and Engineering, a Navi-Mumbai based institute focused on aircraft maintenance, was still exposing this sensitive information as of midday on September 26, the report added.
The Star Kidz, which is an online platform for children’s development, had a URL leaking Aadhaar details until September 25, but it has since been deactivated. The issue was first highlighted on social media by Debarghya Das, a venture capitalist at Menlo Ventures.
CERT-In has issued “Guidelines for Secure Application Design, Development, Implementation & Operations” for all entities using IT applications. CERT-In has also given directions under the Information Technology Act, 2000, (“IT Act”) relating to information security practices, procedure, prevention, response and reporting of cyber incidents.
Notably, any adversely affected party can approach the Adjudicating Officer under section 46 of the IT Act for filing a complaint and seeking compensation.