A serious security flaw in the Employees' Provident Fund Organisation (EPFO) website was discovered by researcher Nilabh Rajpooth, allowing unauthorised access to sensitive pensioner information. The issue was resolved within two days after being reported to Indian Computer Emergency Response Team (CERT-In), India’s cybersecurity agency.
What Was The Issue?
The vulnerability let anyone access pension dashboards containing personal details of individuals whose pensions were stalled for various reasons. The exposed information included Pension Payment Order (PPO) numbers, mobile numbers, full addresses, and dates related to pension disbursements.
EPFO is a statutory body under the Ministry of Labour and Employment, Government of India. It manages the Employees' Provident Fund (EPF), a retirement savings scheme designed to ensure financial security for employees in the organised sector.
The flaw was uncovered while Rajpooth was using the EPFO website. He noticed that altering a URL’s three-digit code, which represented EPFO regional office codes, allowed access to data from different offices.
This flaw could have exposed data of individuals whose pensions were stopped or delayed from over 200 EPFO offices across India.
Pensions under the EPFO may be stalled for several reasons, such as incomplete documentation (missing or incorrect life certificates or bank account details), technical errors, or non-compliance with annual updates of mandatory information. Additionally, cases requiring higher-level scrutiny or pending approvals may experience delays in pension disbursements.
How Was the Data Found?
Rajpooth uncovered the flaw while using the Web Archive, a digital library that stores website snapshots. The archive’s web crawlers systematically index publicly accessible pages, but users can also submit URLs for archiving.
He found over 10,000 archived links related to EPFO. One link led to a downloadable file containing a spreadsheet with sensitive pensioner details.
Rajpooth explained to Decode, “I noticed the URL ended with a three-digit number. By manipulating these numbers, I could access similar spreadsheets. These numbers represent EPFO office codes across India, which are numerous.”
By changing the office code in the URL, he accessed more spreadsheets.
For instance, by changing the code at the end of the URL from "244" to "241," he could access datasets associated with a different EPFO regional office.
EPFO operates a vast network of offices across India, including over 200 regional, sub-regional, and district offices. As such, the vulnerability could have potentially exposed data from multiple EPFO locations, each tied to unique office codes.
Scale of the Data Exposure
When Rajpooth first discovered the flaw, he identified records of at least 15,000 individuals in a go. However, the full extent of the data exposure remains unclear. Given the nature of the vulnerability, it is likely that far more data from various EPFO offices could have been accessed, expanding the scale of the breach.
Rajpooth described the exposed data as a potential "treasure trove" for malicious actors. Such data could easily be exploited for scams, phishing schemes, and other fraudulent activities.
“With the rise in cybercrime, these bad actors often prey on vulnerable individuals, particularly those facing financial difficulties. Senior citizens with stalled pensions would have been prime targets,” he explained.
The Central Pension Accounting Office, in 2022, had also highlighted that pensioners, particularly those less familiar with online technology, are often seen as easy prey. The office reported that scammers impersonating officials sent forms via WhatsApp, falsely claiming that failure to complete them would lead to a suspension of next month's pension payments. Many unsuspecting pensioners, believing the message to be genuine, fell victim to the scam.
In a similar instance from 2023, scammers had impersonated EPFO officials and asked victims to provide personal information such as Aadhaar numbers and bank details, under the guise of updating their EPF accounts or facilitating the transfer of funds. The bad actors managed to siphon off Rs 1.83 crore from victims’ PF accounts.
Recognising the severity of the issue, Rajpooth promptly reported the vulnerability to the CERT-In on December 25, 2024. In response, EPFO acted promptly to fix the flaw, resolving the issue within two days, by December 27, 2024.
