Thiruvananthapuram: A serious security breach that gives unauthorized persons access to the Service and Payroll Repository of Kerala (SPARK), the database of over 5.5 lakh government employees and pensioners in the state, has been reported.
It was found that the thousands of confidential usernames and passwords used by Drawing and Disbursing Officers (DDOs) for processing salaries through the SPARK have fallen in the hands of individuals and private firms.
Investigations revealed that due to workload, most of the DDOs outsource the works related to the preparation of salary bills to private agencies, putting data confidentiality and security under threat.
There are 30,000 DDOs in Kerala who take care of payroll and other accounts/service activities. Only DDOs or office staff authorized by them can process salary bills through SPARK. Personal and official data of each employee is stored in the we-based application. Since the SPARK account passwords are not changed regularly, it gives anybody unfettered access to the data.
Normally, the salary bills are prepared in the last week of the month. If there is delay in processing salaries, the disbursal too would be delayed. In order to avoid this, most of the DDOs are forced to enter into contracts with private agencies to get these work done and hand over the secret usernames and passwords to them. A circular issued to the DDOs stated that giving access to the confidential data to Internet cafes is a serious cause of concern and advised them to exercise great caution.
DDOs in charge of offices with less number of employees do this time-consuming work all by themselves. The usernames and passwords are found to be leaked mostly from schools and other government institutions with more than hundred staff members.
In the police department, the salary bills are processed from the office of the district police chief. So, if private parties gain access to these usernames and passwords, they will be able to breach the database containing personal and official information of thousands of police and ministerial level personnel.
SPARK rendered vulnerable
The database of this web-based application which integrates personnel and payroll management system for employees of the government is linked to the server at the State Data Center in Thiruvananthapuram. Each government servant’s name, address, date of birth, Aadhaar card number, bank account, phone number, e-mail address, salary details, service records, loan history, information on disciplinary actions and transfer announcements as well as government orders are stored in this application.
The data breaches are in flagrant violation of the fundamental right to privacy. There are companies that pay hefty sums to collect salary and loan details, phone numbers, e-mail addresses and other personal information of employees. They use this data to send spam SMSs and emails to market their services and products.
More importantly, bogus identity cards could also be created by using such personal information. There are also high chances of 'vishing' fraudsters draining their bank accounts by manipulating the leaked data.