New Delhi: In a revelation set to sharpen the privacy debate in India, confidential data on subscribers of the Employees’ Provident Fund Organisation (EPFO) has been found to have been stolen by hackers, forcing the body to shut down a website and stop linking provident fund accounts with Aadhaar numbers.

The data theft came to light on Wednesday after a letter written by Central Provident Fund Commissioner (CPFC) V.P Joy to Dinesh Tyagi, chief executive officer at Common Service Centre (CSC), the body which managed the EPFO website with the data, surfaced on Twitter.

According to the letter, dated 23 March, the Intelligence Bureau (IB) had informed the labour ministry in March about the data theft from the website that helps link the Aadhaar numbers of subscribers with their EPF account numbers.

The website had subscribers data related to their Aadhaar number, Permanent Account Number or PAN, personal family and salary details.

“It has been intimated that the data has been stolen by hackers by exploiting the vulnerabilities prevailing in the website ( of EPFO," Joy wrote in the letter to Tyagi.

Though the website was hosted at the National Data Centre for EPFO, the application running on the server was managed by the CSC.

EPFO on Wednesday said that it has not lost data, including the Aadhaar data of its subscribers, but did not refute the fact that Joy had written to Tyagi. CSC functions under the IT ministry.

It was not clear on Wednesday how much data has been leaked.

Joy’s letter said that the IB has advised adhering to “best practices and guidelines for securing the confidential data, re-emphasising regular and meaningful audit and vulnerability assessment and penetration testing of the entire system from competent auditors and testers stated".

On Wednesday, the retirement fund body said in a statement, “EPFO has been taking all necessary precautions and measures to ensure that no data leakage takes place and will continue to be vigilant about it in future. No confirmed data leakage has been established or observed so far. As part of the data security and protection, EPFO has taken advance action by closing the server and host service through Common Service Centres pending vulnerability checks."

“I don’t know how my letter got leaked. We shall find out," Joy said in an interview. He said EPFO has “taken care of the vulnerabilities and soon after it was warned about the vulnerability of data it stopped availing services of the CSC".

“A day before I wrote the letter, we stopped their service and the server. We don’t need them anymore," he said, adding that he is assuring subscribers that their data is safe. “People do not know we have stopped their service… They may have some stake in the Aadhaar case going on in the Supreme Court," Joy argued.

CSC was hired by the EPFO more than a year back to help in linking Aadhaar data with EPF account number. Though Joy would not say that how many EPF accounts were seeded with Aadhaar via CSC, a total of 34 million EPF subscribers and pensioners have already seeded their Aadhaar with EPF account.

The Unique Identification Authority of India (UIDAI) on Wednesday clarified that the does not belong to UIDAI “in any manner whatsoever".

“This matter does not pertain at all to any Aadhaar data breach from UIDAI servers. There is absolutely no breach into Aadhaar database of UIDAI…," it said, indirectly putting the onus on EPFO and CSC for any theft of EPF subscribers’ Aadhaar data.

“A vulnerability has been pointed out, and the exercise to plug the vulnerability will be undertaken, if it is there," said a senior IT ministry official requesting anonymity.

EPFO data breach is important as it is set to prompt questions on how safe the data held by EPFO is, and whether Aadhaar data leakage can happen from other modes outside the UIDAI purview.

EPFO, one of the largest social security bodies in the country, manages a corpus of more than Rs. 11 trillion and has nearly 60 million active subscribers. A Constitution bench of the Supreme Court is hearing petitions against Aadhaar, the 12-digit unique identity number, including the larger issue around breaches of privacy.