Security Bug in MCA Portal Leaked Aadhaar-Based KYC Details of India’s Top Industrialists
Recently, the Ministry of Corporate Affairs (MCA) portal, used by companies to file compliance activities under the Companies Act, faced a significant security breach. The breach resulted in the unauthorized access of Aadhaar-based KYC (know your customer) details of esteemed industrialists and celebrities including Ratan Tata, Mukesh Ambani, Gautam Adani, Virat Kohli, and Shah Rukh Khan.
Security researcher Sai Krishna Kothapalli of Hackcrew brought attention to this alarming issue in a detailed report. The report disclosed the prolonged timeline for addressing the security flaw, which was reportedly fixed only after 11 months, following its report to the Indian Computer Emergency Response Team (CERT-In).
The MCA portal serves a crucial function in providing public access to information related to company activities, facilitating business transactions and verifications. Under the Companies Act and Prevention of Money Laundering Act (PMLA), KYC norms play a vital role in preventing illegal activities associated with shell companies. However, the recent breach showcased a flaw in the protection of sensitive personal information.
The leaked data model included extensive personal details such as Aadhaar numbers, permanent account numbers (PAN), Voter IDs, addresses, mobile numbers, and email IDs. Additionally, internal flags designated by MCA, like company director status and shared director addresses, further exacerbated the severity of the breach.
The systemic failure in safeguarding Aadhaar data is a cause for concern, especially considering the regulatory bodies tasked with quality checks and security audits. Both the Software Testing and Quality Certification (STQC) and the CERT-In have been unable to effectively address and prevent such breaches, reflecting a lack of capacity within CERT-In.
This incident highlights the urgent need for accountability and stringent measures within the government to address software-related issues. Moreover, the existence of an entire ecosystem of companies and data providers reliant on such information emphasizes the far-reaching implications of this breach.
To exacerbate the situation, the lack of effective data management and oversight within government departments, in violation of policies mandating proper data classification, further compounds the impact of this breach. The delay in implementing crucial regulations such as the Digital Personal Data Protection Act 2023 and the classification of datasets by the India Data Management Office underscores the ongoing challenges in data governance.
The gravity of the situation is evident as even prominent figures like Ratan Tata, who has historically advocated for privacy rights, find themselves entangled in such breaches. The failure to enforce fundamental rights to privacy underscores the pressing need for comprehensive data protection measures.
This breach serves as a stark reminder of the vulnerabilities within critical systems and the imperative need for proactive measures to safeguard sensitive information. The repercussions of such breaches extend beyond individual privacy concerns, encompassing far-reaching economic and regulatory implications, urging for swift and decisive action to prevent future occurrences. According to the wire
