UMANG Security Flaw Raises Concerns Over Exposure of Aadhaar EPFO and PAN Related Data
A reported security weakness in the UMANG platform prompted government action after researchers warned that sensitive user information linked to multiple public services could have been exposed through architectural vulnerabilities.

India’s flagship UMANG platform has come under scrutiny after cybersecurity researchers reported serious security weaknesses that may have exposed sensitive information linked to several government services. Following the disclosure, the Ministry of Electronics and Information Technology acknowledged the issue and said corrective measures have already been initiated to strengthen the platform’s security.
The reported vulnerabilities were not limited to a single service. According to cybersecurity researchers, the flaws were connected to the underlying architecture of the UMANG platform, potentially allowing access to sensitive information across multiple government databases. While the findings raised significant concerns, there has been no official confirmation that the exposed information was leaked or misused on a large scale.
UMANG was introduced nearly nine years ago as a unified digital platform that brings together central and state government services in one place. Today, it offers access to more than 2400 public services and is used by millions of citizens across India for everyday government related transactions. Because of its widespread adoption, any security issue involving the platform is considered highly significant.
Researchers claimed that the exposed information included EPFO Universal Account Numbers, Aadhaar numbers stored across several government services, and LPG cylinder booking records linked to at least one major oil marketing company. They also pointed out that in some cases Aadhaar numbers were reportedly stored as plain text, a practice that raises compliance concerns under existing data protection rules. However, they clarified that the dedicated Aadhaar module within UMANG itself was not affected by this particular issue.
One of the biggest concerns revolves around the EPFO service, which is among the most frequently used features on UMANG. Reports indicate that more than 400 million transactions have been processed through the EPFO module in the last three months alone. Experts warned that if attackers had successfully exploited the weaknesses, a large number of users could have faced potential risks.
Cybersecurity specialists also explained that certain security controls such as rate limiting made it difficult for attackers to copy the entire EPFO database. However, they cautioned that if someone already possessed valid Universal Account Numbers, those details could potentially be misused to attempt unauthorized actions involving linked financial information or payment processes. They emphasized that such scenarios highlight the importance of stronger authentication and continuous monitoring.
After receiving the vulnerability report, the Ministry of Electronics and Information Technology said its development and security teams reviewed the findings in detail. According to the ministry, plaintext information exposed through certain application interfaces has now been encrypted, while API logs from the past three months have also been examined. Officials stated that no unusual transaction patterns have been detected so far and that continuous monitoring of the platform remains in place.
The researchers also informed CERT In, the ministry, and EPFO about the security concerns before the issue became public. Shortly afterward, EPFO temporarily suspended parts of its online portal for migration activities. Although researchers believe the maintenance may have been connected to the reported vulnerabilities, authorities have not officially confirmed any direct link.
The incident has once again highlighted the growing importance of cybersecurity for digital public infrastructure. As government services continue to move online and handle massive volumes of personal information, experts say regular security audits, rapid vulnerability response, and stronger data protection measures will remain essential to maintaining public trust in digital governance platforms.




