NEW DELHI, India – A massive digital governance initiative designed to simplify public services for millions of Indians has been found to harbor critical security flaws, potentially exposing sensitive personal data across a multitude of government databases. The Unified Mobile Application for New-age Governance (UMANG), a central portal aggregating over 2,400 services from both Union and State Governments, has been flagged by independent security researchers for vulnerabilities that could have persisted for years, leaving vast swathes of citizen data, including critical financial and identity details, at risk.

The revelations come at a time when India is aggressively pursuing digital transformation, positioning its extensive digital public infrastructure as a model for the world. However, the findings paint a concerning picture of underlying architectural weaknesses in one of its flagship applications, prompting urgent questions about the robustness of the nation’s digital security framework.

Main Facts: A Digital Breach of Trust

At the heart of the crisis are fundamental design flaws within the UMANG portal, which aggregates services from various government entities, including the crucial Employees’ Provident Fund Organisation (EPFO), Aadhaar, and essential utilities like LPG booking. Two security researchers, Akshay C.S. and Viral Vaghela, meticulously documented these vulnerabilities and shared their alarming findings with The Hindu. Their assessment was stark: "Almost everything is broken by design," Mr. Vaghela stated, pointing to systemic issues rather than isolated bugs.

The exposed data is diverse and highly sensitive, encompassing:

  • Unique Account Numbers (UANs) associated with the EPFO, which are vital for accessing provident fund benefits.
  • LPG cylinder booking details, including consumer information, from at least one major oil marketing company.
  • Aadhaar numbers, which were found stored in plaintext across several services within the UMANG ecosystem. This is a direct violation of the Aadhaar Act, 2016, which explicitly disallows such storage practices to protect individual privacy and security. While the Aadhaar module itself within UMANG was not vulnerable, the integration across other services proved to be a critical weak point.

The scale of potential exposure is immense. UMANG, launched nine years ago by Prime Minister Narendra Modi at the fifth Global Conference on Cyber Space in Delhi, serves as a digital lifeline for millions. Its most heavily utilized service is the EPFO module, which alone processed over 40 crore (400 million) transactions in the last three months, dwarfing other use cases by a factor of fifteen. This high transaction volume underscores the critical importance of securing the platform, as any breach could have far-reaching financial and personal consequences for a significant portion of the Indian workforce.

The Ministry of Electronics and Information Technology (MeitY) has acknowledged the vulnerabilities, stating that its "development and security teams have carefully examined the observations and are implementing the necessary corrective and preventive measures." The Ministry further claimed that "the plaintext information in the concerned APIs has been appropriately encrypted." However, the researchers, supported by another independent security expert, Karan Saini, have strongly contested the efficacy of these initial fixes, raising concerns that the measures taken are inadequate and, in some cases, may have introduced new vulnerabilities.

Chronology of Discovery and Disclosure

The timeline of the vulnerability disclosure reveals a rapid sequence of events that highlights both the urgency of the issue and the challenges in implementing effective security patches.

Initial Discovery and Reporting:
Akshay C.S. and Viral Vaghela, both seasoned security researchers, dedicated significant time to probing the UMANG portal’s architecture. Their investigations uncovered a multitude of flaws, which they determined were not superficial but deeply embedded in the platform’s fundamental design. Recognizing the gravity of their findings, particularly the exposure of sensitive financial and identity data, they promptly reported the vulnerabilities to the appropriate government authorities.

Their formal reports were submitted to both the Ministry of Electronics and Information Technology (MeitY) and the Computer Emergency Response Team, India (CERT-In). CERT-In is the national agency responsible for issuing alerts, handling cybersecurity incidents, and helping organizations across the country implement fixes for vulnerabilities. The researchers also extended their alerts to the Employees’ Provident Fund Organisation (EPFO), given the severe implications for its users.

Government Acknowledgment and Initial Response:
Following the submission of the vulnerability reports, MeitY acknowledged the existence of the flaws. In a statement provided to The Hindu, the Ministry affirmed that its teams were engaged in examining the observations and were in the process of implementing "corrective and preventive measures." A key claim from MeitY was that "the plaintext information in the concerned APIs has been appropriately encrypted." The Ministry also stated that it had "reviewed the API transaction logs for the past three months" and found "transaction volumes" to be consistent, indicating, in their view, no immediate signs of widespread exploitation.

EPFO Downtime and Suspected Link:
Shortly after the researchers reported the vulnerabilities to the relevant authorities, a significant event occurred: the EPFO took down its online portal. The official reason cited for this downtime was a "migration," and some of its services remained unavailable for a period. Akshay C.S. and Viral Vaghela, however, strongly suspected that this outage was a direct consequence of their alerts, indicating that the EPFO was likely scrambling to address the exposed vulnerabilities. The Ministry of Labour and Employment, under whose purview the EPFO falls, did not respond to requests for comment regarding the downtime or its connection to the security reports.

Expert Validation and Critique of Fixes:
To independently verify the severity of the vulnerabilities and the efficacy of the government’s initial responses, The Hindu requested the researchers to share their findings with Karan Saini, another highly respected independent security researcher. Saini corroborated the gravity of the issues, terming the vulnerabilities "significant." More critically, Saini delivered a damning assessment of the initial fixes deployed by MeitY. He stated that the encryption referred to by the IT Ministry was "flawed and inadequate," and that a "simple workaround" allowed it to be bypassed. Saini further criticized the government’s approach, noting that the "fixes initially implemented following the disclosure appear to do nothing to secure the system and instead confuse obscurity with security, while also introducing another vulnerability in the process." This indicated that not only were the original flaws not truly resolved, but the attempt to patch them had inadvertently created a new attack vector. The Hindu has chosen to withhold the precise technical details of both the original and the newly introduced vulnerabilities, as they remain active despite the interventions.

This chronology underscores a critical disconnect: while the government swiftly acknowledged the problem and claimed to have implemented fixes, independent experts found those fixes to be superficial and ineffective, highlighting a deeper systemic challenge in addressing cybersecurity within complex digital governance platforms.

Supporting Data: The Deep Dive into Vulnerabilities and Exposed Data

The detailed findings by Akshay C.S. and Viral Vaghela, validated by Karan Saini, paint a grim picture of the security posture of the UMANG portal. The vulnerabilities are not merely superficial errors but stem from fundamental architectural design flaws, as Mr. Vaghela highlighted with his statement, "Almost everything is broken by design."

Architectural Weaknesses:
UMANG functions as an aggregator, a central gateway through which users can access hundreds of distinct government services. This architecture, while convenient for users, presents a unique security challenge. If the central aggregation layer is inherently flawed, it can act as a single point of failure, exposing data from all connected services. The researchers suggest that the design did not adequately account for robust security practices at the integration points, leading to a cascade of vulnerabilities. The concept of "security by design," where security considerations are embedded from the earliest stages of development, appears to have been overlooked in many aspects of UMANG’s construction.

Plaintext Aadhaar Numbers: A Grave Violation:
Perhaps the most alarming revelation is the discovery of Aadhaar numbers stored in plaintext across various services within UMANG. The Aadhaar Act, 2016, is explicit in its mandate for the protection of Aadhaar data, particularly prohibiting its storage in an unencrypted, easily readable format. Plaintext storage makes this unique 12-digit identity number highly susceptible to theft and misuse. While the core Aadhaar module within UMANG itself was reportedly not vulnerable, the integration of Aadhaar details into other services linked through UMANG created these critical exposure points. This lapse represents a significant breach of trust and a direct contravention of legal safeguards designed to protect citizens’ primary digital identity.

EPFO UANs and Financial Risks:
The Employees’ Provident Fund Organisation (EPFO) module is UMANG’s most-used service, underscoring its critical role in the financial lives of millions of Indian workers. The exposure of Unique Account Numbers (UANs) associated with EPFO accounts is profoundly concerning. A UAN is a 12-digit number allotted to every employee contributing to the EPF. It acts as a universal identifier that remains the same even if an employee changes jobs. With a UAN, users can check their provident fund balance, apply for withdrawals, transfer funds, and update KYC details.

Karan Saini elaborated on the severe implications of UAN exposure: while he deemed it "unlikely that the vulnerability could have been exploited to mirror the entire EPFO database" due to implemented rate limiting and the vast number space of UANs, he warned of a more insidious threat. Cybercriminals in possession of UANs could "potentially have been abused… to siphon funds at scale by allowing for both changing of bank account details and initiating payouts, which is very concerning." This suggests a targeted attack vector, where criminals could use stolen UANs to compromise individual EPFO accounts, diverting savings or accessing personal financial information. The potential for financial fraud and identity theft on a massive scale is therefore very real.

"Flawed and Inadequate" Encryption and Obscurity vs. Security:
MeitY’s claim of having "appropriately encrypted" the plaintext information was swiftly debunked by the researchers. Akshay C.S. stated that the encryption deployed was "flawed and inadequate," and that a "simple workaround" allowed it to be cracked. This indicates that the encryption method either had inherent weaknesses, was incorrectly implemented, or was easily bypassed, rendering it ineffective.

Furthermore, Karan Saini’s observation that the fixes "confuse obscurity with security" is a critical cybersecurity principle. Obscurity relies on hiding information or processes in the hope that attackers won’t find them, rather than implementing robust protective measures. For instance, if data is merely encoded or slightly scrambled without strong cryptographic principles, it might appear secure to a casual observer but is easily deciphered by a determined attacker. This approach is widely condemned in cybersecurity as it provides a false sense of security and often leads to deeper vulnerabilities when eventually exposed.

Introduction of a New Vulnerability:
Perhaps the most troubling aspect of the government’s response is Saini’s revelation that the initial fixes not only failed to secure the system but also "introduc[ed] another vulnerability in the process." This highlights a dangerous cycle where reactive, poorly executed patches can exacerbate existing problems or create new attack surfaces, making the system even more fragile. It underscores the need for thorough security audits and expert validation of all fixes before deployment, especially on critical public infrastructure.

UMANG portal flaws exposed user data across hundreds of services, researchers find

Proxy Services and Underserved Risks:
Saini also raised a crucial question: "It is worth examining whether the fixes deployed on the UMANG portal were simultaneously deployed across the services for which UMANG acts as a proxy." Given UMANG’s role as a gateway, it’s entirely possible that even if the UMANG interface itself is hardened, the underlying services it connects to might still be vulnerable if they have not implemented corresponding security upgrades. This "proxy problem" means that securing UMANG requires a holistic approach across the entire ecosystem of integrated government services, a monumental task that demands coordinated efforts and stringent security standards.

The confluence of these factors – architectural flaws, plaintext data storage, vulnerable financial details, ineffective patches, and the introduction of new weaknesses – paints a picture of a critical digital infrastructure facing significant security challenges, with millions of citizens’ data hanging in the balance.

Official Responses and Ongoing Measures

The official response to the reported vulnerabilities has been a mix of acknowledgment, claims of mitigation, and a broader strategic outline for enhancing government cybersecurity. However, these responses have been met with skepticism from the security research community.

Ministry of Electronics and Information Technology (MeitY) Statement:
MeitY, the nodal ministry for UMANG, issued a statement to The Hindu confirming its awareness of the vulnerabilities. The Ministry stated, "Our development and security teams have carefully examined the observations and are implementing the necessary corrective and preventive measures." A key assertion from MeitY was that "the plaintext information in the concerned APIs has been appropriately encrypted." This claim aimed to reassure the public that immediate steps had been taken to address the critical issue of unencrypted sensitive data.

Furthermore, the Ministry indicated that it had conducted an internal review, stating, "The Ministry added that it has ‘reviewed the API transaction logs for the past three months’ and found that ‘transaction volumes’ were consistent and that it continued to keep watch on activities on the UMANG portal." This suggests an assessment that there was no immediate evidence of large-scale exploitation or unusual activity, aiming to mitigate panic.

Critique of MeitY’s Claims:
The researchers, however, sharply contradicted MeitY’s claims regarding the effectiveness of the encryption. Akshay C.S. unequivocally stated that the encryption implemented was "flawed and inadequate," and could be bypassed with a "simple workaround." This directly challenges the Ministry’s assertion that the data had been "appropriately encrypted," suggesting that the fix was either insufficient or improperly applied, offering little actual protection.

Karan Saini’s expert validation further deepened this skepticism, asserting that the initial fixes did "nothing to secure the system" and instead "confuse obscurity with security." This implies that what MeitY considered a "fix" was merely a superficial change that might hide the data from a casual glance but offered no real cryptographic protection against a determined attacker. His additional revelation that the supposed "fix" actually introduced another vulnerability is particularly concerning, indicating a rushed or poorly managed patching process.

Lack of Response from Ministry of Labour and Employment:
Adding to the concerns, the Ministry of Labour and Employment, which oversees the EPFO – UMANG’s most critical and vulnerable service – did not respond to requests for comment. This silence, especially in light of the EPFO portal’s downtime, leaves crucial questions unanswered about their specific actions, the nature of the "migration," and the extent to which EPFO systems themselves were being secured in response to the reported vulnerabilities. The lack of transparent communication from a ministry responsible for the financial security of millions of workers is a significant oversight.

Ongoing Monitoring and Broader Strategy:
Despite the critical assessment of their immediate fixes, MeitY reiterated its commitment to cybersecurity, stating that it "continued to keep watch on activities on the UMANG portal." This indicates an ongoing monitoring effort.

Beyond reactive patching, the government’s official statements also revealed a broader, proactive strategy aimed at bolstering its cybersecurity posture. IT Secretary S. Krishnan detailed CERT-In’s initiative to establish a "war room" dedicated to auditing crucial government codebases. This war room utilizes locally hosted open-source AI models, which Mr. Krishnan stated are "about 60–70% as capable as Mythos," for identifying vulnerabilities. This effort is described as a "constant exercise" in combating cyber vulnerabilities and a "dry run for whenever Mythos is available."

The government’s pursuit of access to Anthropic’s Mythos AI model, touted for its advanced capabilities in securing complex codebases, further underscores its recognition of the need for sophisticated tools to address long-standing vulnerabilities. Mr. Krishnan confirmed that discussions were underway with U.S. counterparts and relevant companies to secure access to Mythos, emphasizing its potential "to actually identify any of these vulnerabilities now and correct them."

While these long-term strategic initiatives are commendable, the immediate failure of the UMANG fixes, as highlighted by independent researchers, casts a shadow over the government’s current capabilities to respond effectively and securely to critical, active threats. The discrepancy between official assurances and expert findings underscores a need for greater transparency, independent verification of security measures, and a more robust incident response framework.

Wider Implications: A Test of India’s Digital Governance Ambitions

The vulnerabilities discovered in the UMANG portal are more than just technical glitches; they represent a significant test of India’s ambitious digital governance agenda and have profound implications for citizen trust, national security, and the future trajectory of its digital economy.

Erosion of Citizen Trust:
At its core, UMANG was designed to build trust in government services by making them accessible, transparent, and efficient. A breach of this magnitude, exposing fundamental identity and financial data like Aadhaar numbers and EPFO UANs, can severely erode that trust. Citizens rely on the government to protect their most sensitive information, especially when mandated to use digital platforms for essential services. Doubts about the security of these platforms can lead to widespread reluctance to adopt digital services, undermining the very purpose of initiatives like Digital India. The notion that "almost everything is broken by design" is particularly damaging, suggesting systemic issues rather than isolated errors.

Impact on India’s Digital Transformation Narrative:
India has positioned itself as a global leader in digital public infrastructure (DPI), with UPI, Aadhaar, and other platforms garnering international acclaim. The UMANG vulnerabilities, however, highlight that even pioneering digital initiatives can be undermined by inadequate cybersecurity. Such incidents can temper international enthusiasm for India’s DPI model and raise questions among other nations considering adopting similar frameworks. It underscores the critical lesson that innovation must be coupled with robust, proactive security measures.

Financial Fraud and Identity Theft Risks:
The specific types of data exposed — UANs, LPG details, and Aadhaar numbers — are prime targets for cybercriminals. As Karan Saini warned, UANs could be leveraged to "siphon funds at scale" from EPFO accounts by manipulating bank details or initiating payouts. Aadhaar numbers, especially when found in plaintext, are foundational for identity theft, allowing criminals to open fraudulent accounts, avail loans, or access other services in the victim’s name. LPG booking details could be used for targeted phishing attacks or social engineering scams. The cumulative risk to millions of citizens’ financial well-being and personal identity is substantial.

The Challenge of Legacy Systems and Complex Integrations:
The UMANG portal’s issues also highlight a broader challenge faced by governments globally: integrating numerous existing, often disparate, services into a unified digital platform. Many government departments operate with legacy systems that may not have been designed with modern cybersecurity threats in mind. When UMANG acts as a "proxy" for these services, as Saini pointed out, the security of the entire ecosystem becomes dependent on the weakest link. Ensuring that security fixes on the UMANG portal are simultaneously and effectively deployed across all integrated services is a monumental task that requires standardized security protocols, continuous auditing, and robust inter-agency coordination.

Government’s Cybersecurity Posture and AI Ambitions:
The incident casts a critical light on the overall cybersecurity posture of Indian government websites and applications. While IT Secretary S. Krishnan spoke of CERT-In’s "war room" and the government’s pursuit of advanced AI models like Anthropic’s Mythos to identify vulnerabilities, the immediate failure to implement effective fixes for UMANG raises questions about the current efficacy of these efforts. If existing vulnerabilities, once identified, cannot be adequately patched without introducing new flaws, then even the most advanced AI tools will only highlight problems without guaranteeing secure resolutions.

The "dry run" with locally hosted open-source AI models, described as 60-70% as capable as Mythos, is a positive step towards proactive vulnerability detection. However, the UMANG incident underscores that detection is only half the battle; secure remediation is equally, if not more, critical. The government’s eagerness to access frontier AI models for cybersecurity is understandable, given the complexity of modern codebases and the evolving threat landscape. Yet, it also implicitly acknowledges the limitations of current human-led auditing and patching processes.

Call for Greater Transparency and Accountability:
The discrepancy between official statements of "appropriate encryption" and researchers’ findings of "flawed and inadequate" fixes highlights a need for greater transparency and independent verification in government cybersecurity responses. For critical national infrastructure, a system of third-party audits and public disclosure of security assessments, perhaps with appropriate redactions for sensitive details, could help restore public confidence and ensure accountability.

In conclusion, the UMANG vulnerabilities serve as a potent reminder that digital transformation, while offering immense benefits, carries significant responsibilities. Protecting citizen data is paramount, and it requires not just innovative technology but also robust security architecture, diligent implementation, continuous vigilance, and a willingness to transparently address flaws when they emerge. The incident is a call to action for India to fortify its digital foundations, ensuring that its ambitious journey towards a digitally empowered society is built on unshakeable trust and security.