How personal data is at risk in Haryana’s family identity scheme  

At a time when the Centre is aggressively banning Chinese apps to secure the country’s data, a major security glitch, which could open sensitive and confidential information of residents to theft, has been reported in Haryana’s latest data collection exercise to make family ID cards or Parivar Pehchan Patra (PPP).

The technical snag has been reported by a Mohali-based ethical hacking team.

What is a Parivar Pehchan Patra?

According to the Haryana government, the primary objective of PPP, launched by Chief Minister Manohar Lal Khattar in July 2019, is to create authentic, verified and reliable data of all families in the state.

As part of the exercise, each and every family in the state is identified and their data is collected with their consent and stored in a digital format. A family ID card contains phone numbers, email ids as well as details of Aadhar card, voter identity card, bank accounts and PAN card of the members of a family. Families owning a PPP are provided an eight-digit family identity number. The family ID is linked to the birth, death and marriage records of the concerned family to ensure automatic update as and when the events happen.

Security not strong enough

However, Corporatekey Consulting, an IT and security audit firm has said that the database is not secure enough and public information stored in it can be easily hacked by a rookie hacker and used for insidious purposes.

A member of the team who hails from Haryana said, “I got my family ID registered and went online to check it. Since I am an ethical hacker, I am always concerned about the security of my data. So, I checked the application programming interface (API) calls going towards the data centre. I was able to trace the request and get the data of already registered families.”

He added said the API call can be accessed easily and a hacker even with a month of experience could lay his hands on sensitive data containing details like names, address as well as identity and bank details.

He said that there are high chances that the data is being mined by some party.

The team intimated the National Informatics Centre (NIC) which comes under the Ministry of Electronics and Information Technology (MeITY) and mailed all sensitive information to the officials of Haryana NIC and Ravi Shankar Prasad, the Union Minister for Law and Justice, Communications and Electronics and Information Technology.

The Indian Computer Emergency Response Team (CERT-In) which falls under MeITY have said they are investigating the incident after being apprised about the same.

“It’s our responsibility to report these issues. We would request Haryana government to look into this on priority basis and get it fixed as soon as possible,” Corporatekey Consulting said.

The security glitch comes at a time when the Haryana government is planning to link the Family ID with existing, independent schemes related to scholarships, subsidies and pensions. The ID card has already been made mandatory for government schemes such as disability pensions, Old Age Samman Allowance, and pensions for widows. Reports say even vaccination drives including that for COVID-19 will give priority to those having PPP.

While information on caste and income is being collected for PPPs in many cities, authorities in some places have made the identity card mandatory for the registration of land title deeds from the tehsil office.

Once hacked, not shy yet

The concerns about the technical faults in the PPP database are serious, especially when it has already experienced a breach of data in July this year. The breach was confirmed by a senior bureaucrat. According to a national daily which reported the incident, data culled by the state government under PPP and the Mukhya Mantri Parivar Samridhi Yojna (MMPSY) was  allegedly found to be accessed in Ukraine after the authorities ‘experienced’ a security issue linked to an unauthorised access into the MMPSY/PPP portal and database.

Following the incident, the Haryana Citizen Resources Information Department (Crid) urged the IT department to probe the matter and put necessary protocols in place to avoid a recurrence of the security breach. The Crid also requested the department to conduct a security audit of the application and keep Aadhar details in a vault.

The recent development is concerning when the National Crime Records Bureau reports a rise in cybercrimes by 63.5 per cent in 2019 when compared to 2018. A whopping 60.4 per cent of the cases were related to cyber frauds, signalling towards the need for a better cyber security framework.

Dr Pavan Duggal, founder of International Commission on Cyber Security Law and a Supreme Court advocate, said the government is not serious about the data of citizens in India.

“It is very important to keep the citizens’ data safe, otherwise it can lead to very serious consequences. A sensitive data like PPP is out in open which can track a person entirely, is really worrying. We don’t even have a law on cyber security yet. The Indian government really needs to take the data of Indian citizens and cyber security seriously, otherwise it can hit India’s safety, security, sovereignty and integrity,” he said.