Security Flaw in MCA Portal Exposed Aadhaar-Based KYC Information of India’s Leading Industrialists

Recently, the Ministry of Corporate Affairs (MCA) portal, commonly used by companies to submit compliance activities under the Companies Act, experienced a significant security breach. This breach led to unauthorized access to Aadhaar-based KYC (know your customer) details of renowned industrialists and celebrities, including Ratan Tata, Mukesh Ambani, Gautam Adani, Virat Kohli, and Shah Rukh Khan.

A security researcher of Hackcrew highlighted this concerning issue in a detailed report. The report revealed that it took an extended period, approximately 11 months, to address the security flaw. The flaw was reportedly only fixed after the report was submitted to the Indian Computer Emergency Response Team (CERT-In).

The MCA portal, a crucial platform for public access to company-related information, facilitating transactions and verifications, recently experienced a significant setback. Mandated by the Companies Act and Prevention of Money Laundering Act (PMLA), KYC norms are instrumental in preventing illicit activities linked to shell companies. However, the recent security breach underscored a vulnerability in safeguarding sensitive personal information.

The leaked data encompassed a wealth of personal details, including Aadhaar numbers, PAN cards, Voter IDs, addresses, mobile numbers, and email IDs. The gravity of the breach was exacerbated by internal MCA flags, revealing specifics such as company director status and shared director addresses.

The systemic failure in protecting Aadhaar data is disconcerting, particularly given the oversight responsibilities of regulatory bodies like the Software Testing and Quality Certification (STQC) and CERT-In. Both entities have faced challenges in effectively addressing and preventing such breaches, exposing a capacity gap within CERT-In.

This incident underscores the critical need for the government to step up, take responsibility, and enforce stringent measures to tackle software-related issues. The widespread reliance on this information by various companies and data providers amplifies the far-reaching impact of the breach.

Adding to the challenge, the lack of effective data management and oversight within government departments, in direct violation of policies mandating proper data classification, exacerbates the consequences of the breach. The delay in implementing essential regulations such as the Digital Personal Data Protection Act 2023 and the classification of datasets by the India Data Management Office reveals persistent challenges in data governance.

The gravity of the situation becomes even more apparent when well-known figures like Ratan Tata, a staunch advocate for privacy rights, find themselves victims of such breaches. The failure to uphold fundamental privacy rights emphasizes the immediate necessity for comprehensive data protection measures.

This breach serves as a stark reminder of vulnerabilities in critical systems and underscores the urgent need for proactive measures to safeguard sensitive information. The repercussions extend beyond individual privacy concerns, impacting the broader economy and regulatory landscape, compelling swift and decisive action to prevent future occurrences.

Also Read: Byju’s Upsets Employees and IT Department with Late TDS Deposits