MCA Leaked Personal Data of India's Richest People and Company Directors, Says Security Expert
Moneylife Digital Team 18 January 2024
Due to a vulnerability or security bug, the website of the Union ministry of corporate affairs (MCA) leaked the personal data of Ratan Tata, Mukesh Ambani, Gautam Adani, Virat Kohli, Shah Rukh Khan and lakhs of other directors of companies, alleges a security expert. Sai Krishna Kothapalli, who runs a cybersecurity company called Hackrew, says it took 11 months and four days for a critical vulnerability to be fixed that leaked personally identifiable information of approximately 9.8mn (million) Indians, including many high net-worth individuals following proper government channels.
In a blog post, Mr Kothapalli says he was working on a proof of concept for a security tool called Eagle Eye that will detect secrets and other sensitive information from all the websites he was testing. He visited the MCA portal for some work and found the tool picked up some information.
"There was some PII (personal identifiable information) like email and phone numbers that were in the HTTP response but not there in the rendered HTML. What this means is that your browser received some data that's not shown anywhere on the screen. This is a very generic type of vulnerability that's usually present in web or mobile applications. Essentially, the server is sending more than necessary data. Sometimes, this might include sensitive data," he says.
Mr Kothapalli says he found not just his personal information but also email IDs and phone numbers of all the ID numbers he has, which were available through the MCA website, even when he was not logged in to the application. He says he found that the only input he had provided was his director identification number (DIN), which the ministry assigns. 
He then tried using a random DIN 00000001 and could see the personal information of none other than Ratan Tata! When the MCA portal was launched in 2006, Mr Tata was assigned the first DIN number. 
"Essentially, all the directors of Indian companies are affected. I couldn't find exactly how many directors are there. But if you look at DINs being issued, the latest numbers are over 98.65 lakh. It includes industrialists like Mr Tata, Mukesh Ambani, and Adani, cricketers like MS Dhoni, Virat Kohli, and Hardik Pandya and actors like Shah Rukh Khan, Mahesh Babu, and Pawan Kalyan, and many more," he says.
Mr Kothapalli says he was able to see personal information like phone numbers, email IDs, home addresses, father's name, date of birth, Aadhaar number, PAN number, passport number and voter ID numbers of the company directors. 
After finding the bug on 16 January 2023, he contacted the Indian computer emergency response team -CERT-In. After going back and forth, finally, on 19 December 2023, CERT-In informed Mr Kothapalli that the concerned organisation had confirmed that they had fixed the reported vulnerability and asked him to verify. 
He replied, "The vulnerability appears to be fixed. There might be more URLs that are vulnerable since there is similar functionality in the MCA application, the team should also look at those. Also, will there be any check to see if this vulnerability has been abused? Since I have seen some companies selling directors' contact information like email and phone numbers publicly. How can we identify if the said data is obtained legally or otherwise?"
CERT-In told him that it had noted his concerns and would take appropriate action.
"As I mentioned in my email to CERT-IN, this vulnerability has existed for many months. There are a lot of companies openly selling the contact information (email and phone numbers) of directors online. I don't know if this vulnerability has been exploited. Surely, a thorough investigation is needed," Mr Kothapalli says.
The MCA21 portal of online corporate filing and compliance system has been creating several issues for chartered accountants (CAs) and company secretaries (CSs) for the past several years. The problems started in 2013 when MCA21 switched from Tata Consultancy Services Ltd (TCS) to Infosys (Read: Why can't Infosys get MCA21, the e-filing system working?). The nightmare lasted until 2016 and, despite the huge public embarrassment, Infosys kept dragging its feet over fixing issues (Read: After 3 years, Infosys still can't fix MCA's system that started cracking under its watch). The problem returns with a vengeance when MCA calls for new bids to handle the MCA21, tinkers with the process in the name of increasing efficiency, and hands the contract to the lowest bidder! 
LTIMindtree Ltd bagged the contract for developing V3 which is being rolled out in phases from May 2021. The first two phases themselves have unleashed chaos. In March 2022, limited liability partnership (LLP)-related web filings were moved to V3. (Read: MCA21 in Digital India: Company Secretaries Erupt in Anger, Once Again over LTIMindtree's Dysfunctional Version3)
5 months ago
cyber coolies do work as told at hourly rate and don't bother as to what needs to be really done, so don't expect anything.
5 months ago
Great going Lame Digital India err Bharat.
Free Helpline
Legal Credit