The Indian Computer Emergency Response Team (CERT-In), under the Ministry of Electronics & Information Technology, Government of India, has issued a clarification regarding the Adhaar data breach reported on September 26 by Moneycontrol. 

Reason of Breach 
As per the statement issued by CERT-In, the data breach happened owing to Insecure Direct Object Reference (IDOR) as it finds a considerable increase in the exploitation of the same in Indian Cyberspace. Through such an exploitation attackers gain access to unauthorised data, thus enabling the data breach. 

The Data breach 
The data breach has been reported as of September 26 on two sites having Aadhaar data namely, Indian Aerospace & Engineering, Navi-Mumbai, and  The Star Kidz. The 2nd URL reported for the data breach stands deactivated as of now while the first one reported data breach up till 12 Pm, Sept 26, Moneycontrol Reports. 

Mr Debarghya Das, a venture capitalist by profession, was the first person to report about the same on social media. 

What is I-DOR? 
An Insecure Direct Object Interference (I-DOR) refers to a vulnerability that allows attackers to access unauthorized data by manipulating a URL or a form. For instance, if a URL reads as www…/123 as a user info page, manipulating it as www…/345 can give access of another user if the system isn't equipped with Proper checks.  

It enables an attacker to breach the data very easily while the administrator won’t be able to trace it systemically.   

How does this happen?
The vulnerability happens because: 

1. If the application directly references an internal resource such as a file or database entry. 
2. If the URL is manipulated to access the unauthorized data. 
3. If the application doesn't have proper checks to enable or disable accessibility. 

Ways to avoid it
To avoid such a thing from happening, CERT-In has suggested a slew of measures like, 

1. Instead of showing IDs in links, codify them in the form of tokens. 
2. Rather than relying on the user’s end, regular security checks must be performed on the end of the server while keeping the access limited and with detailed logs. 
3. Regular Audits must be performed to identify any weakness in time. 

Digital Personal Data Protection (DPDP) Act, 2023
The Act imposes strict penalties for the mishandling of personal data, placing significant responsibility on data fiduciaries (organizations managing personal data) to implement robust safeguards, especially for sensitive information like Aadhaar. Entities found in violation of data protection regulations could face fines of up to Rs 250 crore, depending on the severity of the breach.

While the DPDP Act is yet to be implemented, the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, already impose strict penalties on entities that mishandle sensitive personal data, including Aadhaar numbers.