Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development

Indian Government Website for Farmers Exposes Data

Security Practitioners Say It Lacks Basic Encryption Tools
Indian Government Website for Farmers Exposes Data

A ministry of agriculture website in India lacks basic security measures, risking exposing personal data on millions of farmers who use the site to obtain crop insurance, a security practitioner who uses the site has pointed out.

See Also: Going Selectively Active for Comprehensive OT Visibility

The website of Pradhan Mantri Fasal Bima Yojana, the Prime Minister Agriculture Credit Scheme, is running on hypertext transfer protocol (HTTP) and capturing in clear text information and personal details of farmers, including name, age, bank account numbers, mobile numbers and Aadhaar numbers. A website capturing citizen information should be using HTTPS where the communication protocol is encrypted.

Satish Kulkarni, a security practitioner with a leading IT firm who owns agricultural land, says he raised the issue last year with the government. He says he had written to CERT-In to bring up the matter, but no action has been taken until now. "I am not sure how we can have a safe digital India initiative with this attitude of the government," Kulkarni says.

Kulkarni says mail he sent to Dr. Sanjay Bahl, director general of CERT-In, last week, however, elicited a response. The response read: "Thank you for reporting this to CERT-In. For your information CERT In has contacted NIC - the hosting provider - to do the needful along with Ministry of Agriculture. A mail has also been sent to Ministry of Agriculture".

But even today the site is running on HTTP protocol.

Other security practitioners share Kulkarni's concerns about the slow pace of government action on security issues.

"We in India are very much accustomed to government apathy. Even after repeated reminders, the government decides not to make use of suggestions by the security community," says Dinesh O Bareja, COO at Open Security Alliance. "Therefore most of us have stopped reacting to such blunders by the government."

The ministry of agriculture did not immediately reply to Information Security Media Group's request for comment.

HTTP Protocol

Farmers in India use the PMFBY website to obtain crop insurance. Farmers either enter the necessary data on their own or work with agents, who enter it on their behalf.

According to Census 2011, there are 118.8 million cultivators across the country. A report by the Hindustan Times, however, states the figure was about 263 million in 2014.

"I am not sure how such an important website is launched with insecure communication," Kulkarni says. "We keep talking about digital India, but such basic blunders on government websites gives an impression of insecure digital India."

All the information in the the registration form is captured in clear text, so it's easily accessible by hackers looking for data, Kulkarni says.

"If the government, who is custodian of our data does not care, then who will care?" asks a forensic expert associated with the government, who asked not to be named.

Ironically, India is planning to come out its own Data Protection Act, the first draft of which will be made public soon. "And here we are talking of a data protection act. This is double standard on part of the government," the forensic expert says.

Kulkarni says he and others also faced several other issues while filing the online form on the website. "Every time I was trying to fill up the form, the website would show error. Furthermore, it shows I have paid my premium while I am yet to pay."

Bureaucratic Inaction

A common complaint among Indian security researchers is that there is little action or acknowledgement by the government when website vulnerabilities are being pointed out to them.

For instance, Kulkarni says that when he called CERT-In to notify it of the security issue, "the person at the help desk could not understand what I was talking about. When I asked him how do I escalate the matter, he was clueless. The person wanted me to provide the evidence. This, after I had mailed them the screen shots of the website. I don't understand what evidence they need to confirm if a website is http or https."

Bareja notes: "At times, it feels like the response department of government of India is just a national feel-good factor with no concrete action. It is obvious there is no particular officer assigned to the response department. However, at the same time, CERT-In wants us to be a community and share information."

A Call to Action

Earlier this year, multiple government websites were either defaced or faced security vulnerabilities.

Bharat Sanchar Nigam Limited, the state-run telecommunications company; India Post; the Indian Space Research Organization; and numerous portals were discovered to be exposing Aadhaar details of Indian citizens. Even the Supreme Court of India website was defaced in March this year.

Some security experts suggest the government needs to take a number of steps, including:

  • Mandate cybersecurity awareness programs for all government employees;
  • Conduct regular security and phishing drills;
  • Do more to attract and retain qualified cybersecurity staff, recruiting experts from the private sector.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.