Websites belonging to the defence ministry’s pay and account offices around the country have reportedly leaked sensitive data including ID numbers and PAN details of a number of Indian soldiers.
An internal review over the past few months found that the leaked data included names of soldiers, their military identity numbers and PAN details. The findings have prompted strict orders for the review of security protocols and to take necessary action to curb the leaks.
According to a report by The Economic Times, instructions on the disclosure of sensitive information have been issued to all concerned departments following the audit. An immediate order to take down the available information was also passed to prevent further misuse.
The circular sent out to government offices by the Ministry of Defence read as follows, "Any sensitive data open to all is required to be removed from the home page of the website and action taken report along with root cause may be furnished immediately."
Offices were also asked to look into who has access to sensitive data and suggested that it should be available only on "role-based access granted to the user", once the user has securely logged in.
Several government websites on Monday were not functioning properly as they had been taken offline as a follow up to the circular.
However, this isn't the first time that a defence website has been hacked. In April 2018, the Ministry of Defence website was reportedly hacked, though the government was quickly put out a statement that a technical glitch was the reason behind the website malfunctioning.
Just a month before that, a group of hackers who called themselves Lulzsec India managed to break into a portion of the Rajya Sabha website that only members of the Upper House and administrators of the website are supposed to have access to.
In fact, in 2017, a written reply in the Lok Sabha by Milind Deora, the then Minister of State for Communications and IT, stated that since 2015, as many as 117 government websites had been a victim of hacks. As per another report, the minister of state for home affairs, Kiren Rijiju, said last year that more than 700 central and state governments had been breached between 2013 and 2017.
In March 2015, army officers were in a state of panic after their Principal Comptroller of Defence Accounts (Officers) (PCDAO) website was hacked. In March 2016, infamous terror outfit Al-Qaeda had also hacked a section of the Indian Railways website with a message asking Muslims to partake in what they termed to be a "global jihad."
While UIDAI continues to reiterate that its "biometric database is secure", the security of which is moot at this point, it's becoming quite apparent that government websites are by themselves as big a privacy risk as Aadhaar.