Bank account details, Aadhaar data of Himachal Pradesh power board customers leaked

In a serious breach of security, personal details including telephone number, bank account details and Aadhaar number of more than 20 lakh customers of Himachal Pradesh State Electricity Board Ltd (HPSEBL) have been leaked online. It includes data of both commercial clients and home users.

This data breach will make it easy for hackers to access personal information of almost all those in the state of Himachal Pradesh.

The personal information of almost anyone who has paid electricity bills to Himachal Pradesh State Electricity Board can be got from this set of documents. It has a person’s name, email id, HPSEBL customer id, Aadhaar number, bank account details, IFSC code and phone number. Since Aadhaar number has been linked to almost every account, even if a person chooses to pay offline, their details can be obtained. The presence of the Aadhaar details along with the phone number has made it easy to extract all the other information.

This data breach was found by cyber security researcher Rishi Dwivedi in the main portal of HPSEBL. Dwivedi found that anybody can access these details from the server as it is not secure. “The website has no security restrictions to access data such as locked admin-controlled panels and that access to the server should be only from certain IPs only and not from all,” points out Dwivedi.

“There are absolutely no restrictions in accessing the HPSEBL server and due to the lack of security anyone can find these details on Google using a normal query,” explains Dwivedi.

“Since the Aadhaar details are there, people can easily create fake Aadhaar ids and use it for other purposes. The person will never know,” added Dwivedi.

He had sent emails to HPSEBL pointing towards their security breach, but no one responded. Dwivedi requested them to look into the matter but he was met with only silence.

Experts have said such data could be sold in the black market, in fact, there is a huge demand for it. When such sensitive information is easily available on the dark web, it enables simple identity theft, espionage and also using these details money can be stolen from any person’s bank account.

Those handling the HPSEBL server should have audited their server periodically to check for data breaches. “The company should close every open and broken links and invite security experts to test their server,” underscores Dwivedi.

This data breach comes at a time when India is looking to water down its already weak data privacy laws. The government is mandating that that only critical information needs to be compulsorily retained in India. If this is agreed to, then it will reduce the number of instances in which company executives can be jailed due to breach of data security.

In the original draft of the Personal Data Protection Bill, 2018, the ministry of electronics and IT had suggested that a copy of all personal data be stored in India, while “critical” information had to be mandatorily stored only in the country. The government has to identify what constitutes “critical” personal data.