It was shocking to read the report on Massive Data Leak at India's SPARSH Pension Portal (Reproduced below)
This is all the more shocking when concerns with regard to Data security were raised as early as in Jan & May 2022 vide our papers dated 17 Jan 22( first paper)
& 09 May 22 (third paper) Attached.
Extracts reproduced below
Para 4( c) & (d) and Para 10 (paper dtd 17 Jan 22)
4 (c) A disaster recovery system based on multiple redundancy data back-ups that is at least as robust in technology and dispersion (to minimize risks from malevolent action) as in the banking system.
4 d) IT backbone and maintenance (now being rendered by TCS) continuing without deterioration of services and standard. In all likelihood, it will certainly deteriorate if taken over by in-house personnel from the DAD who would remain static at the level of technology inherited when taking over from TCS.
10. Inevitably, the coming transfer process will witness the requirement of texted/emailed SPARSH user ID and temporary password being maliciously exploited by "scamsters" and hackers to dupe the gullible and the aged. How will the DAD ensure that pensioners are made aware that they should not be tricked into clicking on a spurious link? There is no campaign afoot to spread awareness in this respect. Equally alarming is the prospect of the vulnerable segments being exploited because of their necessarily having to take the help of internet cafes etc to activate and access their SPARSH accounts. Without doubt, many such users will be criminally exploited.
Para 11 ( paper dtd 09 May 2022)
11. As a palliative to the projected problem of relative inaccessibility of DAD nodes, and the difficulty of projecting problems and complaints, it has been announced that SPARSH is to co-opt the 4,00,000+ CSC's to act as interfaces with pensioners(in addition to the DAD nodes and the SPARSH central help- lines). This very ill-considered and hasty decision, taken without understanding the sensitivity of pensioner personal date information, guarantees financial fraud upon ESM due to access to such data by staff of the CSCs. The utility of this "after –thought" decision is in grave doubt, and is bound to be counter-productive.
In consulting some experts it is learnt that a good secure site should have multiple layers of security at the Server level and of database via Individual LOGIN data and multiple firewalls of third party should have been in place. It is clear that the firewalls were also probably L1 status leading to this breach
If data is being sold @9$ for 0.41mb gives the impression that hackers might have entered in database. Furthermore, it is stated that data leaked belongs to Kerala region this needs investigation beyond just the Data leak. Is there something beyond what meets the eye?
I don't understand how Changing password will stop the hackers from manipulating with individual data as well as bank accounts. By now Hackers have full control over super admin Vis a Vis database.
This is a matter of very serious concern as all documents have bearing on finances are easily available and also could lead to access to the Bank accounts to be also hacked of individuals.
Fortunately the banking system has far more secure systems in place and we only hope that pensioners banking data leaked by SPARSH will be safe with the banking software which is more secure and better firewalled.
With the site now pulled down after this attack the ability of many pensioners to meet the extended deadline of 31 Jan 2023 for submission of ALC needs to be also reviewed.
There are some loopholes in the system where Critical data can be changed without any authentication via Level I OTP validation. These need not be spelt out here for security reasons however the authorities will do well to ensure all such loose ends are now closed with a security step
If only the authorities had paid more heed to our warnings than to be in a haste to meet a deadline to please those who matter.
Finally we can only say
चमन उजाडने कोएक ही उल्लू काफी है
यहाँ तो हर शाखपे उल्लू बैठा है