Top News

UMANG Security Review Underway After Researchers Flag Vulnerabilities Affecting Linked Government Services
KalamTimes | July 15, 2026 6:40 PM CST

Government Confirms Security Fixes Are Being Implemented; No Evidence of Large-Scale Data Misuse Reported So Far

India's Unified Mobile Application for New-age Governance (UMANG) platform has come under cybersecurity scrutiny after independent security researchers identified multiple vulnerabilities that could have exposed sensitive information linked to certain government services. The reported issues have prompted a security review by government agencies, with officials stating that corrective measures are already being implemented.

According to the findings, the vulnerabilities were not found in the Aadhaar authentication module itself. However, researchers warned that weaknesses in some integrated services connected to the UMANG platform could have potentially exposed personal information such as Aadhaar numbers, EPFO account details, banking information, and LPG-related records if exploited by malicious actors.

Authorities have emphasized that there is currently no public evidence of widespread exploitation or mass data theft, but investigations and continuous monitoring remain underway.

Security Researchers Report Multiple Weaknesses

The security concerns were identified by cybersecurity researchers Akshay CS and Viral Vaghela, who examined different services integrated into the UMANG platform.

According to their report, several security gaps may have existed across multiple modules for an extended period. The researchers claimed that certain components lacked adequate security protections, raising concerns about the safety of user information stored through connected government services.

To prevent potential misuse before the issues are fully resolved, detailed technical information about the vulnerabilities has not been publicly disclosed.

What Information Could Have Been Exposed?

The researchers suggested that, under certain circumstances, attackers could have attempted to access information associated with some integrated government services. The data reportedly at risk included:

  • Aadhaar numbers stored by certain connected services.
  • Employees' Provident Fund Organisation (EPFO) Universal Account Number (UAN) details.
  • Bank account information linked to EPFO services.
  • LPG booking records associated with a major public-sector oil marketing company.
  • Additional user information stored across selected UMANG-integrated services.

Importantly, the report clarified that no security flaw was identified within the Aadhaar service module itself operating through UMANG.

Potential Risks Highlighted by Researchers

The researchers stated that if these vulnerabilities had been successfully exploited, cybercriminals might have been able to perform unauthorized actions, including:

  • Viewing sensitive personal information.
  • Accessing Aadhaar numbers that may have been stored without encryption in certain integrated systems.
  • Attempting unauthorized changes to bank account information linked with EPFO services.
  • Initiating fraudulent payment requests.
  • Misusing EPFO UAN information for financial fraud or identity-related attacks.

Despite these concerns, there has been no confirmed evidence that these vulnerabilities were exploited on a large scale.

Government Says Security Measures Have Been Strengthened

Following the disclosure, the Ministry of Electronics and Information Technology (MeitY) acknowledged the reported issues and confirmed that security and development teams reviewed the findings.

According to the ministry:

  • Necessary software updates and security improvements are being implemented.
  • Plaintext information transmitted through affected APIs has now been encrypted.
  • API transaction logs covering the previous three months have been reviewed.
  • Officials found transaction patterns to be normal during the assessment period.
  • Continuous monitoring has been introduced to identify any suspicious activity on the platform.

The government maintains that the platform is under active observation while additional safeguards continue to be deployed.

CERT-In and EPFO Also Responded

After identifying the vulnerabilities, the researchers reportedly informed both MeitY and the Indian Computer Emergency Response Team (CERT-In), India's national cybersecurity incident response agency.

Following the disclosure, EPFO temporarily suspended access to its online migration portal. Reports also indicated that some EPFO digital services experienced temporary disruptions during the review period.

While officials have not directly linked the service interruptions to the reported vulnerabilities, researchers believe the temporary shutdowns may have been part of precautionary security assessments.

Why the Issue Matters

UMANG serves as a digital gateway for numerous central and state government services, making it one of India's most widely used citizen service platforms.

Among its most frequently accessed offerings are EPFO-related services, which reportedly processed more than 400 million transactions during the past three months. Given the platform's massive user base, even isolated security weaknesses can attract significant attention because of the potential impact on millions of users.

The researchers also noted that storing Aadhaar numbers in plaintext, if confirmed within any integrated service, would not align with the privacy and security principles outlined under the Aadhaar Act, 2016.

Safety Tips for UMANG and EPFO Users

Although the government has not advised users to take emergency action, cybersecurity experts recommend following basic digital safety practices:

  • Regularly review EPFO account activity for unexpected changes.
  • Verify that linked bank account details remain accurate.
  • Monitor SMS and email alerts related to government services.
  • Never share OTPs, passwords, or login credentials with anyone.
  • Report suspicious account activity immediately through the appropriate official government portal.
Current Status

The reported vulnerabilities are currently being addressed through security updates and continuous monitoring. Officials have stated that investigations remain ongoing, while researchers continue to work with authorities through responsible disclosure practices.

Users are advised to rely only on official updates from MeitY, CERT-In, EPFO, and UMANG regarding any future announcements related to the platform's security enhancements.


READ NEXT
Cancel OK