Major Security Lapse in Income Tax Portal: Millions of Taxpayers’ Personal Data Exposed Due to Software Bug

A major cybersecurity lapse has recently been discovered in the Indian government’s Income Tax e-filing portal, potentially putting the personal data of over 13.5 crore taxpayers at risk. The portal, which is used by individuals and businesses across the country to file their income tax returns, reportedly contained a critical software bug that briefly exposed sensitive user information, including Aadhaar numbers, bank details, mobile numbers, and addresses.

How the Security Glitch Was Found

According to reports, the vulnerability was detected by two cybersecurity researchers during a routine check. They discovered that when a user logged into the e-filing website and attempted to update or change their PAN number, the system failed to verify whether the data being accessed actually belonged to the logged-in user.

In simple terms, if someone entered another person’s PAN number, the website displayed that individual’s personal details — without asking for a password or OTP verification. This flaw made it possible for unauthorized users to access confidential data in just a few clicks.

The Technical Cause: An IDOR Vulnerability

Experts have identified the flaw as an IDOR (Insecure Direct Object Reference) vulnerability. This is a common web security issue where the system doesn’t properly authenticate which user is allowed to access specific data.

In this case, the Income Tax portal’s backend failed to verify ownership of the requested PAN-linked data. As a result, users could view information belonging to others — a serious privacy and security breach.

Cybersecurity professionals warn that such bugs can lead to large-scale data exposure if exploited by hackers. Information like PAN and Aadhaar details are key identifiers that can be misused for identity theft, phishing attacks, or fraudulent financial transactions.

Immediate Action Taken by Authorities

Once the researchers confirmed the bug, they immediately informed the concerned government authorities, including CERT-In (Indian Computer Emergency Response Team) — India’s national cybersecurity agency. The issue was acknowledged, and corrective steps were taken to patch the vulnerability.

According to official sources, the system has now been secured, and the e-filing portal is functioning safely again. The government is also said to be reviewing its cybersecurity infrastructure to prevent similar incidents in the future.

Potential Risks and What Could Have Happened

Had this vulnerability remained undetected for longer, it could have exposed millions of taxpayers — including individuals, corporations, and professionals — to severe cyber risks. Sensitive data like bank account numbers, addresses, and Aadhaar-linked information could have been exploited by cybercriminals to conduct fraudulent transactions, apply for loans, or commit identity fraud.

Experts suggest that even temporary exposure of such data can lead to long-term consequences. Once personal information is leaked online, it can circulate in illegal data markets and be used for years in targeted scams or financial crimes.

What Users Should Do

While the bug has now been fixed, cybersecurity experts recommend that taxpayers take extra precautions:

• Update passwords regularly for their e-filing and bank accounts.

• Avoid sharing PAN, Aadhaar, or login details on unknown platforms.

• Use two-factor authentication (2FA) wherever possible.

• Monitor bank and credit card statements for unusual transactions.

• Report any suspicious activity immediately to the Income Tax Department or CERT-In.

A Wake-Up Call for Digital Security

This incident serves as a reminder of how vulnerable large-scale digital systems can be, even those operated by government agencies. With India’s growing shift toward digital governance, ensuring robust cybersecurity protocols is no longer optional — it’s essential.

While authorities acted swiftly to fix the issue, this breach highlights the need for continuous monitoring, vulnerability testing, and public awareness to safeguard citizens’ personal data in an increasingly digital world.