The Indian Income Tax Department swiftly fixed a critical security vulnerability in its e-Filing portal that exposed sensitive personal and financial data of taxpayers. The flaw allowed unauthorized access to information like PAN, Aadhaar, bank details, and contact data, raising significant privacy concerns amid India’s vast taxpayer base.
In a significant cybersecurity update, the Indian government's tax authority has remedied a major security flaw in its Income Tax e-Filing portal that was compromising sensitive taxpayer data. Discovered by independent security researchers in September, the vulnerability enabled any logged-in user to access detailed personal and financial information of other users simply by manipulating the Permanent Account Number (PAN) in the portal’s requests. This glaring loophole—scientifically classified as an insecure direct object reference (IDOR)—meant that the portal's backend failed to verify if a user was authorized to access records other than their own.
The exposed data was comprehensive and alarming, including full names, home and email addresses, dates of birth, phone numbers, bank account details related to refunds and payments, and unique identifiers like Aadhaar numbers. With over 135 million registered users and more than 76 million tax returns filed in the last financial year alone, the scale of potential exposure posed a severe threat to millions of taxpayers and entities. Such data could facilitate identity theft, targeted phishing attacks, fraudulent refund claims, or SIM swaps leading to unauthorized transactions.
Security researchers, who responsibly notified the Computer Emergency Response Team of India (CERT-In), confirmed the vulnerability’s resolution by early October. However, at the time of reporting, Indian Income Tax Department representatives had yet to provide detailed comments on the breach or potential misuse. The government’s prompt corrective action prevented further exploitation but underscored the critical need for stringent access controls and continuous security audits for sensitive digital platforms.
This event highlights ongoing cybersecurity challenges in managing India's vast digital ecosystem of taxpayer data and stresses the importance of transparent communication with citizens regarding data safety. Taxpayers are advised to remain vigilant against suspicious communication involving their PAN or Aadhaar details and monitor their bank accounts closely for unauthorized activity.
Key highlights:
-
Security flaw in India’s Income Tax e-Filing portal allowed unauthorized access to sensitive taxpayer data.
-
Data exposed included PAN, Aadhaar numbers, bank details, contact information, and other personal identifiers.
-
Vulnerability was an insecure direct object reference (IDOR), easily exploitable by other logged-in users.
-
Over 135 million users registered; more than 76 million filed returns in the last year, raising the scale of impact.
-
Researchers alerted CERT-In and confirmed the bug fix by early October.
-
Indian Income Tax Department yet to issue detailed statements on the breach’s extent or misuse.
-
Public urged to be cautious of phishing and fraudulent activities related to exposed data.
Source: TechCrunch, TradingView (Reuters)
