Another alarming digital ID and KYC data breach has once again exposed the vulnerabilities of digital identity systems, proving why they remain a significant privacy nightmare.
A security flaw in the Indian Post Office portal has led to the exposure of thousands of Know Your Customer (KYC) records, demonstrating the ongoing risks of centralized digital ID infrastructure. The breach was caused by an Insecure Direct Object Reference (IDOR) vulnerability, which allowed unauthorized access to sensitive customer data by manipulating the document_id parameter in API requests.
The flaw, discovered by cybersecurity analyst Gokuleswaran, exposed confidential information including Aadhaar numbers, PAN details, usernames, and mobile phone numbers of postal service users. The vulnerability stemmed from a weakness in the portal’s URL structure, enabling direct access to customer records without proper authentication.
This breach is particularly alarming given India’s rapid expansion of Aadhaar-based authentication across multiple sectors, amplifying the potential for misuse of exposed data.
This incident highlights the critical privacy and security risks of digital IDs.
Leaked Aadhaar and PAN details can be exploited for identity theft, fraud, and targeted phishing attacks.
Additionally, it raises major regulatory concerns, as India struggles to enforce its data protection policies while advancing its digital identity programs, such as the AI-powered Central KYC Registry set to launch in 2025.
India’s Computer Emergency Response Team (CERT-In) has acknowledged the security lapse and issued mitigation strategies to address IDOR vulnerabilities. Among its recommendations are the implementation of secure tokens instead of direct URL references and the adoption of routine security assessments. However, such breaches continue to occur despite previous advisories, demonstrating a systemic failure in protecting digital identity systems from exploitation.
No comments:
Post a Comment