Aadhaar data of a large number of farmers was leaked by a government website designed for the welfare of the agriculture sector in India, a security researcher has reported. The website, called PM Kisan, allows the government to distribute grants to farmers under the Pradhan Mantri Kisan Samman Nidhi programme. However, due to an issue, one of its parts was publicly exposing Aadhaar numbers of enrolled farmers. The website has registered over 110 million farmers since its launch in 2019.
Security researcher Atul Nair said in a post on Medium that a part of the PM Kisan website was leaking the Aadhaar number of its registered farmers.
"The website provides an endpoint, which returns information about the beneficiary. This endpoint was also sending Aadhaar numbers," Nair told Gadgets 360.
The issue was first spotted by the researcher in late January and was reported by India's Computer Emergency Response Team (CERT-In). Shortly after receiving the report, the nodal agency forwarded the details to the concerned authorities. They, however, apparently took some months to fix the exposure.
Nair wrote in his post that the issue was fixed in late May. He told Gadgets 360 that he had confirmed that the issue was no longer reproducible.
However, it is not confirmed whether an attacker was able to breach the data until it got fixed.
CERT-In appreciated the researcher for reporting the issue, though it did not explicitly confirm the fix or whether the data was not breached.
Gadgets 360 reached out to the National Informatics Centre (NIC) — the developer and maintainer of the PM Kisan website, and an official has confirmed the fix.
"Upon receipt of the vulnerability, the PMKisan team undertook necessary action to fix the vulnerability," the NIC official said. However, she did not confirm whether the exposed data was not breached by an attacker until the vulnerability got fixed.
Aadhaar numbers of individuals in the country are not of confidential nature, per the Unique Identification Authority of India (UIDAI) — the statutory authority that is mandated to issue the 12-digit uniquely identified numbers. Nevertheless, it does restrict users from sharing Aadhaar cards on public platforms.
This is notably not the first time when the Aadhaar data of individuals was exposed by a government website. In 2019, the Jharkhand government reportedly exposed the unique identification numbers of its thousands of workers.
A few days later, state-owned liquid petroleum gas (LPG) manufacturer Indane had also allegedly exposed Aadhaar details of millions of its consumers.
Affiliate links may be automatically generated - see our ethics statement for details.