Income Tax Portal Data Breach: Taxpayers' Data Exposed in India

Data Breach Affects Indian Income Tax Filing Portal

A security vulnerability within the Indian government’s income tax filing portal was recently identified and has now been addressed by the tax authority, as exclusively reported by TechCrunch and confirmed by official sources.

Exposure of Sensitive Taxpayer Information

The flaw, initially detected in September by security researchers Akshay CS and “Viral,” permitted unauthorized access to current personal and financial information belonging to other taxpayers while a user was logged into the e-Filing portal.

A wide range of sensitive data was potentially compromised. This included complete names, residential addresses, email addresses, dates of birth, contact phone numbers, and detailed bank account information.

Aadhaar Numbers Also at Risk

Furthermore, the exposed data encompassed citizens’ Aadhaar numbers, a unique identification number issued by the government. This number serves as official proof of identity and is utilized for accessing various government services.

TechCrunch independently validated the existence of this data exposure. Permission was granted to the researchers to retrieve records pertaining to a TechCrunch reporter through the portal.

Vulnerability Remediation and Disclosure

The researchers verified to TechCrunch on October 2nd that the security vulnerability had been successfully resolved. Due to the potential public risk, publication of this report was delayed until confirmation of the fix was received.

Government Response

While the Indian Income Tax Department acknowledged receipt of a request for comment from TechCrunch, no responses to specific inquiries were provided before publication. Notably, the department raised no objections to the publication of this story.

The incident highlights the importance of robust security measures in protecting sensitive taxpayer data. Ongoing vigilance and proactive vulnerability assessments are crucial for maintaining public trust.

Sensitive Data Exposed Due to Critical Vulnerability

Security researchers, Akshay CS and “Viral”, have revealed a significant security flaw within the Indian government’s income tax filing website to TechCrunch.

The discovery occurred during the researchers’ own tax return filing process.

Indian citizens are mandated to submit their yearly income reports for tax calculation purposes.

The vulnerability allowed unauthorized access to sensitive financial information. By manipulating the Permanent Account Number (PAN) within the network request – while a webpage was loading – researchers could view data belonging to other individuals.

This manipulation was achievable using readily available tools such as Postman, Burp Suite, or even a web browser’s developer tools, provided the attacker knew another user’s PAN.

The flaw stemmed from inadequate verification procedures on the Indian income tax department’s servers. These servers failed to properly authenticate user access to sensitive data.

This type of vulnerability is categorized as an insecure direct object reference (IDOR). It’s a frequently encountered and relatively straightforward security weakness that governments have previously cautioned against due to its potential for large-scale data breaches.

The researchers emphasized the simplicity of the exploit, stating, “This is an extremely low-hanging thing, but one that has a very severe consequence.”

Beyond individual taxpayer data, the vulnerability also compromised information related to companies registered on the e-Filing portal.

TechCrunch independently confirmed the bug’s impact extended to individuals who hadn't yet filed their income tax returns for the current year.

Verification was conducted with explicit permission from an individual who had not submitted their tax return, allowing the researchers to demonstrate the vulnerability.

Understanding the Vulnerability

PAN Manipulation: The core issue involved altering the PAN number in the network request.
IDOR Classification: The flaw is a classic example of an insecure direct object reference.
Lack of Verification: Insufficient server-side checks allowed unauthorized data access.

Impact of the Bug

The consequences of this vulnerability were substantial, potentially exposing the financial details of numerous individuals and businesses.

The ease with which the bug could be exploited heightened the risk of widespread data compromise.

Security Vulnerability Confirmed by CERT-In

Researchers investigating digital security promptly informed India’s CERT-In, the computer emergency response team, about a discovered security flaw. However, a specific timeframe for addressing the issue was not communicated to them.

A representative from CERT-In confirmed to TechCrunch on September 30th that the Income Tax Department had initiated efforts to resolve the vulnerability.

Requests for comment directed to the Indian Ministry of Finance remained unanswered by TechCrunch. Following contact with the Income Tax Department concerning the identified vulnerability, the director general of Systems acknowledged receiving TechCrunch’s communication on October 1st, but offered no additional statements.

The duration of the vulnerability’s existence, and whether any unauthorized access to the exposed data occurred, are currently unknown. These inquiries made by TechCrunch to CERT-In received no response.

The precise number of individuals affected by the data exposure remains undetermined. The Income Tax Department’s online portal indicates over 135 million registered users.

Furthermore, publicly available data from the portal shows that more than 76 million income tax returns were filed during the 2024-25 financial year.

Details of the Reported Issue

The nature of the security flaw has not been publicly disclosed. Investigations are ongoing to fully assess the scope and potential impact of the vulnerability.

CERT-In is responsible for overseeing cybersecurity incidents and issuing alerts to relevant stakeholders. Their role is crucial in mitigating risks to India’s digital infrastructure.

The vulnerability was reported to CERT-In by security researchers.
The Income Tax Department acknowledged the issue and began remediation.
The Ministry of Finance and the Director General of Systems have not provided further comment.

The lack of transparency surrounding the incident raises concerns about data security and the potential for misuse of sensitive taxpayer information. Continued monitoring and investigation are essential.