Insolvency and Bankruptcy Board Ignored Warning for Over 2 Years; Put Out Aadhaar, PAN Details of Creditors On Website In “Inadvertent” Data Leak
Moneylife Digital Team 29 June 2021
In what is being termed as an “inadvertent” data leak, the Insolvency and Bankruptcy Board of India (IBBI) has put out on its website Aadhaar and PAN (permanent account number) details of creditors, including workmen, of many companies undergoing resolution process.
 
Sources say that the details were shared "inadvertently" as the IBBI is currently said to be working on a beta project to host the information of creditors of companies undergoing corporate insolvency resolution process (CIRP) and liquidation but added that matter would be sorted out in a few days and stressed that most details have already been removed from the website now. 
 
 
 
 
 
This is significant since for the past several years many government agencies have been issuing public warnings against revealing details of Aadhaar or PAN publicly as such information could be used for identity theft.
 
Having your Aadhaar or PAN leaked increases your chances of falling victim to identity theft actors, scammers, phishing campaigners. 
 
In this case, IBBI should have treated the data with greater caution. Unfortunately, the circulation of notices regarding the data breach is not something to be expected from a public entity like IBBI either. Hence each of the compromised companies should take the appropriate steps immediately to inform their employees and help them stay safe.
 
In September 2018, Srikanth L (who goes by the Twitter handle @logic) discovered that the unique debt identifier would contain Aadhaar in plain text violating the Aadhar storage tokenisation guidelines or Aadhaar vault storage rules.  He noted that this was problematic by referring the technical standards of IBBI.
 
 
 
Subsequently in March 2019, when IBBI openly sought feedback on various regulations, he wrote to IBBI and sounded a specific warning regarding collection and storage of Aadhaar details.
 
Srikanth wrote to them at that time with a general feedback on incompatibility of IBBI technical standards with Aadhaar Act and UIDAI regulations as part of IPA (insolvency professional agencies) & IU (information utilities) regulations feedback
 
In his feedback shared over two years back, he had specifically mentioned to IBBI, “As per the Supreme Court judgement on Aadhaar, the use of Aadhaar as identifier is only subject to matters related to obtaining government subsidy, benefits and cannot be mandated by any other entity. It also specifies that private entities cannot mandate Aadhaar”.
 
“The IBBI technical standards extensively use Aadhaar in multiple places violating not just Supreme Court guidelines but also UIDAI regulations pertaining to storage and use of Aadhaar numbers,” he added.
 
More specifically he had even explained “For the above noted inconsistencies with Aadhaar Act, Regulations of UIDAI with regards to storage and use of Aadhaar number in applications and the Supreme Court judgement on the Aadhaar case, it is suggested that the use of Aadhaar in the technical standards to be reviewed and suitable alternatives like use of PAN is used for individuals users for registration, verification, unique debt ID as is being done with the case of non-individual users using IU services”.
 
He had concluded his feedback by saying “It is also suggested that IBBI audit IU to ensure compliance with laws, regulations related to Aadhaar and conduct a full IT audit to ensure full compliance after the technical standards is modified to be compliant with law”.
 
Copy of Srikanth’s detailed feedback from March 2019 is shared below. 
 
 
It is not known, whether IBBI had taken note of the detailed feedback provided to it then since they did not acknowledge him individually. But his feedback was apparently  published on the 'board' and the status next to it reads as “Technical standards have been reviewed and amended w.e.f. 22nd January 2020 to take into account these observations”.
 
 
Srikant points out that the feedback shared by him, most likely ended up in trash or else the current data leak would have been averted. If they had really updated technical standards, this data leak would not have happened. 
 
He expressed his disappointment that government officials face no consequence for leaking Aadhaar data. According to him the actual scale of current data leak in IBBI  is estimated to be around 1 lakh to 2 lakh Aadhaar numbers. 
 
The IBBI, a key institution in implementing the Insolvency and Bankruptcy Code (IBC), is said to be working on a project to ensure and enhance transparency with respect to CIRP and liquidation processes. 
 
We accessed three separate documents uploaded on the IBBI website, which revealed the names and Aadhaar numbers of 128 workmen and the PAN of 234 workmen of three companies undergoing corporate insolvency proceedings. Moneylife is unable to confirm the total number of individuals and companies affected as of now by the IBBI data leak.
 
According to the IBBI regulations, details about creditors, including workmen, of companies undergoing CIRP or liquidation should be disclosed on the websites of the respective companies (corporate debtors). The details required include name of the creditor concerned, amount claimed and amount admitted.
 
There have been instances of resolution professionals approaching the IBBI and the National Company Law Tribunal (NCLT) with respect to the regulations requiring public disclosure of details of creditors.
 
In an order passed in December 2018, the Allahabad bench of the NCLT had directed an Interim Resolution Professional (IRP) to publish the list of creditors on the corporate debtor's website.
 
In case of a CIRP, these details must be disclosed by the resolution professional concerned while in liquidation processes, the respective liquidator would make these disclosures.
 
There are cases where small creditors have said that there is no way for them to monitor their claims and companies do not have websites where such claims can be uploaded and tracked.
 
For such companies, the IBBI is working on the proposed portal which would offer space where the status of claims can be revised and tracked by stakeholder and creditors too can have easy access.
 
Some officials acknowledged the goof up and explained that in some cases, the details about creditors, including information such as their Aadhaar and PAN, were submitted in the PDF format. Since it is difficult to remove specific details from the PDF files, Aadhaar and PAN information of many people were inadvertently made available on the IBBI website. The issue is expected to get resolved in a few days.
 
The identification information of creditors was meant for internal use by the IBBI and was made available publicly by mistake. Most of the documents revealing sensitive information on its website have already been taken down by the IBBI now. 
Comments
Free Helpline
Legal Credit
Feedback