Personal Details of India's Top Industrialists Leaked due to Security Bug in MCA Portal

Many software glitches have been reported in the official portal of the Ministry of Corporate Affairs, which companies use to file their respective compliance activities under the Companies Act. 

As per the latest report, the security bug in the MCA portal meant that Aadhaar-based KYC details of all the company directors were "accessible without authorisation." These directors include celebrities and industrialists like Shah Rukh Khan, Virat Kohli, Gautam Adani, Mukesh Ambani and Ratan Tata. 

The details about these security bugs were revealed by security researcher Sai Krishna Kothapalli of Hackcrew. The report revealed that the security issues with the portal were fixed "only after 11 months after it was reported to the Indian Computer Emergency Response Team." 

A security bug can be understood as a software bug introduced due to poor quality control and software programming. In the past, company secretaries and CAs have criticised the MCA portal over these issues. 

The MCA portal disseminates information related to any company that needs to be made public for business transactions and verification. 

"Under the Companies Act and Prevention of Money Laundering Act (PMLA), KYC norms exist to stop operations of shell companies involved in any illegal activities. A part of this KYC information is shared publicly to anyone who wants to verify details of the company or the director, with whom they are entering into a business contract under the Companies Act," as per The Wire. 

However, the information accessible on the MCA portal was much more than what was required to be published. The details that could be easily accessed without authorisation included mobile number, email ID, Voter ID, PAN, and Aadhaar. 

This incident further raises questions about the security of the data collected as part of the KYC process. Software Testing and Quality Certification (STQC) and the Indian Computer Emergency Response Team (CERT-In) are responsible for carrying out security audits and quality checks. The Unique Identification Authority of India (UIDAI) is responsible for the security of Aadhaar-related data.

In an ideal scenario, CERT-in must address security lapses that people disclose to them.  

"In this case, CERT-In was informed about the security issue in January 2023. While it flagged the issue, it did not fix it immediately. Even now, whether the issue is completely fixed is unknown, as CERT-In does not conduct any forensic analysis, potentially leading to the issue to continue to exist."

It has become common for government authorities to collect all kinds of data for regulatory activities. Some of the information asked from the users is mandatory. However, the failure on the part of government departments to adequately secure the data from being accessible to others is unacceptable. 

"The Digital Personal Data Protection Act 2023, which is yet to be enforced, completely exempts government departments. Despite this exemption, in this case, the government still has to do a forensic analysis to identify the scale of the data leak."