India’s official income tax e-filing portal — used by over 135 million people — recently faced a serious security issue that exposed private user information, including bank account details and Aadhaar numbers, according to a report by TechCrunch.
Although the government has now fixed the problem, experts warn that sensitive taxpayer data may have been vulnerable for an unknown period.
How the Flaw Was Discovered
The issue was discovered in September by two security researchers, Akshay CS and “Viral”, who found that anyone logged into the portal could easily access another person’s financial records.
All it took was swapping one PAN (Permanent Account Number) for another in a basic network request — something that could be done with simple tools like Postman or even a browser’s developer console.
This loophole allowed unauthorized users to view names, addresses, dates of birth, phone numbers, bank details, and Aadhaar information of other taxpayers.
According to the researchers, “It was an extremely simple bug, but with very serious consequences.”
What Went Wrong
The issue stemmed from a missing security step known as access control — a check that ensures users can only view their own data.
Without it, both individuals and companies had their confidential details exposed.
After being alerted, India’s Computer Emergency Response Team (CERT-In) and the Income Tax Department investigated the issue.
A fix was confirmed and deployed on October 2, after which the vulnerability was disclosed publicly.
However, authorities have not revealed how long the flaw existed or whether any data was misused during that time.
A Wake-Up Call for Digital Security
The e-filing portal handles massive volumes of data, with more than 76 million tax returns filed in FY 2024–25 alone.
This incident raises serious questions about how securely taxpayer data is managed in government systems.
Cybersecurity experts say the episode highlights how even a small coding oversight can lead to major privacy risks — especially when millions rely on online systems for essential financial tasks.
As India continues its push toward digital governance, this serves as a reminder that data protection must evolve just as fast as technology does.
