CHENNAI: Personal information of thousands of employers and their staff from across Tamil Nadu has been stolen from the state government’s labour department portal twice in the last year. The stolen details belong to employers and their employees in shops and businesses, industries and private firms, and also comprises sensitive data including bank account details of guest workers in TN.
The data was stolen twice in May and November 2024 by two separate hacker groups who, according to an FIR registered on November 14, 2024, claimed to have hacked the entire database from the labour department portal and the inter-state migrant workers’ portal for sale on the dark web.
The database contained the Aadhaar and PAN details of employers, their phone numbers and addresses. The hackers also accessed documents related to the addresses and other personal details of several thousands of their employees.
The stolen data belongs to employers and their employees as registered under various labour laws, including the Tamil Nadu Shops and Establishments Act, Tamil Nadu Industrial Establishments (National Festival and Special Holidays) Act, Motor Transport Workers Act, Inter-State Migrant Workmen Act and Beedi and Cigar Workers (Conditions of Employment) Act, among others.
Apart from the labour department portal, data from the department’s Inter-State Migrant Workers MIS—which was launched in 2023—has also been stolen. This system is used for registration of inter-state migrant workers employed in commercial establishments, agriculture, schools, colleges and local bodies.
‘Labour dept failed to properly disclose data theft’
The portal also has details of the migrant workers’ Aadhaar and even their bank accounts.
The department has been able to recover most of the lost data with help from the Tamil Nadu State Data Centre which maintains the server for the department. However, instead of acknowledging the large scale data theft, the state government has been treating the incidents as merely a ‘data loss’ event in which they have been able to successfully avoid severe repercussions because the data was recovered fairly quickly.
Employers TNIE spoke to said that, when asked why the website was down, the department had mentioned a temporary ‘data loss’, but has till date not informed the stakeholders that sensitive data belonging to them have been stolen, possibly leaving them and their employees vulnerable to identity theft and financial fraud. This failure to inform the affected employers and workers has prevented them from taking protective measures or monitoring their accounts for suspicious activities.
However, the department did register a complaint with the cyber crime police after the second theft that occurred on November 11, 2024, with an FIR being filed on November 14. As per the FIR, the attack was executed with ‘GSocket’, a tool capable of establishing direct peer-to-peer connections, to bypass network restrictions such as NAT and firewalls. .
S Kannan, Tamil Nadu CITU deputy general secretary, said that the inter-state migrant workers portal alone had details of around 72 lakh workers collected through a drive that was intensified during the Covid-19 pandemic. “We have had suspicions of data theft but the department maintained that the data was merely lost due to a corrupt database. We also have doubts as to how the data is being used,” Kannan said.
An advocate specialising in cyber law, who also works with the state government in advisory positions, said that in cases like these, the websites are required to declare the theft. In this case, the labour department’s website simply carried a message stating that the site was under maintenance, without disclosing the data breach.
With no framework in place for data collection, the labour department has been collecting data from workers and employers without laying down the purpose of collection and how it intends to use them. In case of such a large-scale compromise, it is unclear who is accountable.
According to the Guidelines for Indian Government Websites (GIGW) 3.0, the name and designation of the Web Information Manager (WIM) should be displayed on the website along with contact details, usually as part of the “Website Policies” or “Contact Us” sections, for the purpose of accountability, to maintain a point of contact for corrections or inquiries and for transparency regarding who owns the content. However, both affected portals in this case do not mention the web manager nor have a ‘contact us’ option for queries in their home pages.
Rajaram Venkataraman, Convenor & Head of FICCI TNSC Technology Panel, said the government should explore a multi-layered approach to security, that includes encryption of sensitive personal or business information, as they expand and intensify data collection.
“You can make around Rs 300-Rs 500 by selling credit card information on the dark web. When access to data is not strictly restricted and critical data is not stored in encrypted form within organisations, anyone looking to make money will be able to use them,” Rajaram said.
A senior official in the labour department said that the portals are fully functional and the data has been recovered completely.
As to why the breach was not declared on the website, the official said, “We can only confirm that the website was down, so we had carried a message accordingly. It is the hackers’ claim that the data has been stolen, we cannot confirm that.” Officials also said that the websites are in the process of being revamped with better security measures so as to prevent such attacks in the future.