A security researcher has reported that the Aadhaar data of a large number of farmers was leaked by a government website created for the welfare of the agriculture sector in India. The website, called PM Kisan, allows the government to distribute grants to farmers under the Pradhan Mantri Kisan Samman Nidhi programme. However, due to an issue, a part of it was publicly exposing the Aadhaar numbers of enrolled farmers. The website has registered over 110 million farmers since its launch in 2019.
Security researcher Atul Nair said Post a part of that on the medium PM Kisan Website was leaking Base Number of farmers registered
“The website provides an endpoint, which gives information about the beneficiary. This endpoint was also sending the Aadhaar number,” Nair told Gadgets 360.
The issue was first noticed by the researcher in late January and was reported by India’s computer emergency response team (CERT-In) Immediately after receiving the report, the nodal agency forwarded the details to the concerned authorities. However, apparently it took him a few months to recover the exposure.
Nair wrote in his post that the issue was fixed at the end of May. They told Gadgets 360 that they have confirmed that the problem is no longer reproducible.
However, it is not confirmed whether an attacker was able to breach the data until it is recovered.
CERT-In commended the researcher for reporting the issue, although it did not explicitly confirm the fix or whether there was a data breach.
Gadgets 360 has contacted National Informatics Center ,NIC) – Developer and maintainer of PM Kisan website. This article will be updated when the department responds.
Aadhaar numbers of individuals in the country are not confidential in nature, To Unique Identification Authority of India ,UIDAI) – Statutory authority which is mandated to issue 12 digit Unique Identification Number. Still, it does ban users By sharing Aadhar card in public forums.
This is especially not the first time that Aadhaar data of individuals was exposed by a government website. In 2019, the Jharkhand government reportedly Expose Unique identification numbers of thousands of its workers.
A few days later, state-owned liquefied petroleum gas (LPG) producer indane was too allegedly exposed Aadhaar details of millions of its users.