Fodder for cyber criminals as government website leaks sensitive info of retired employees

If exploited, the breach of privacy could leave retirees at the mercy of scamsters and cyber criminals.
For representational purposes (Express Illustrations)
For representational purposes (Express Illustrations)

HYDERABAD: The Directorate of Treasuries and Accounts (DoTA) website is leaking sensitive information like bank account numbers, tax-deduction, PAN and pension details of retired State government employees, and the authorities are in no mood to remedy the situation anytime soon. If exploited, the breach of privacy could leave retirees at the mercy of scamsters and cyber criminals.

Simply entering  name, such as ‘Vijay’, on the website https://treasury.telangana.gov.in/pensions/index.php threw up details of all pensioners by that name — for instance, C Vijay or Rajesh Vijaykumar — an assessment by The New Indian Express found. These details included money transactions and even sensitive numbers like the Pension Payment Order (PPO) ID.

The PPO-ID, when copied from that page and entered under the ‘Form 16 Download’ option of the website, reveals the name of that particular pensioner, along with his/her address, bank account number, statements, tax deductions and other details. 

Sections 43A and 72A of the Information Technology Act and Section 43A of the IT Act mention that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such a corporate body shall be liable to pay damages to the person(s) so affected.

Section 72A further provides for punishment for disclosure of information in breach of a lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding `5 lakh, or with both, in case disclosure of information is made in breach of a lawful contract.

Experts warn of risk, official says private details will remain on website till end of the month
Director of Treasuries and Accounts KSRC Murthy admitted that displaying the data publicly was against the law, but added, “From across the State, 2.67 lakh pensioners are asking us for details to file IT returns and pensioner’s claims. The DoTA will give pensioners Form 16 to file IT returns... it will be online till July 31.” Cybersecurity expert Srinivas Kodali warned of ‘social engineering attacks’, as anybody can now access beneficiaries’ bank account details. “As per the Banking Act, beneficiaries’ bank accounts and PAN details should not be on a public domain. A data protection law is the need of the hour,” Kodali said

Related Stories

No stories found.
The New Indian Express
www.newindianexpress.com