Farmers’ Aadhaar Data Released by Prime Minister Kisan’s Website, Security Researcher’s Report
A security researcher says Aadhaar data on a large number of farmers has been leaked by a government website designed for the welfare of the agricultural industry in India. The website, called PM Kisan, allows the government to distribute grants to farmers under the Pradhan Mantri Kisan Samman Nidhi scheme. However, due to an issue, one of its divisions has publicly disclosed the number of registered farmers of Aadhaar. The site has registered more than 110 million farmers since its launch in 2019.
Security researcher Atul Nair said in a parcel on Medium that part of Website PM Kisan was leaked Aadhaar its registered farmer number.
“The website provides an endpoint, which returns information about the beneficiary. This endpoint is also sending the Aadhaar number,” Nair told Gadgets 360.
The issue was first discovered by the researcher in late January and was reported by India’s Computer Emergency Response Team (CERTIFICATE). Immediately after receiving the report, the governing body forwarded detailed information to the relevant agencies. However, it seems to have taken them several months to fix the exposure issue.
Nair wrote in her post that the issue was fixed at the end of May. He told Gadgets 360 that he has confirmed that the problem is no longer reproducible.
However, it is yet to be confirmed whether an attacker was able to compromise the data until it is fixed.
CERT-In appreciates the researcher who reported the issue, although it doesn’t explicitly confirm a fix or whether data was breached.
Gadgets 360 has reached out to National Informatics Center (NIC) – developer and maintainer of the PM Kisan website. This article will be updated as the department responds.
Aadhaar the number of individuals in the country is not of a secret nature, every the India’s Unique Identity Authority (UIDAI) – statutory authority authorized to issue 12-digit unique identifiers. However, it has User restrictions from sharing Aadhaar tokens on public platforms.
This is not the first time that individuals’ Aadhaar data has been exposed by a government website. In 2019, the Jharkhand government reported Exposed Unique identifiers of thousands of workers.
A few days later, the state-owned liquid petroleum gas (LPG) producer Indane also alleged contact Aadhaar detailed information on millions of consumers.