A data breach at the Employees’ Provident Fund Organisation (EPFO), a retirement fund for salaried workers, may have exposed the personal information of millions of Indians.

On May 01, a letter from the central provident fund commissioner, V P Joy, to Dinesh Tyagi, the CEO of the government’s Common Services Centre (CSC), which provides digital services, was leaked on Twitter. Dated March 23, the letter said that the Intelligence Bureau had found that data had been “stolen by hackers exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of the EPFO.”

On the website, hosted at the National Data Centre but managed by the CSC, individuals could link their provident funds with Aadhaar, India’s biometric identity programme. While not mandatory, the EPFO had been encouraging subscribers to link their accounts with Aadhaar to improve the delivery of services.

Joy reportedly stated in the letter that the EPFO had stopped the servers of the site and discontinued its hosted services, and urged Tyagi to plug the security gaps. The website maintained confidential information such as Aadhaar and PAN numbers (taxpayer identification codes), as well as salary details.

It’s not clear how many Indians may have been affected but the EPFO has reportedly linked 34.5 million active provident fund accounts with Aadhaar. No one has claimed responsibility for the hack as yet. The Unique Identification Authority of India, which is responsible for the Aadhaar platform, has clarified that the affected website does not belong to it, and that no data breach has occured at its end.

On May 02, the EPFO released a statement saying ”no confirmed data leakage has been established or observed so far.” A senior official told The Times of India newspaper that the data was completely secure and there was no need to panic.

Nevertheless, a series of reported data breaches has raised concerns about the safety of personal information in the hands of the Indian government. In the period between April 2017 and January 2018 alone, 114 government portals were hacked, according to data provided to parliament by the minister of state for electronics and IT.

Over the past year, the authorities and private companies have stepped up efforts to get more and more Indians to link their Aadhaar numbers with everything from bank accounts to mutual funds to mobile phone services. This, despite several embarrassing breaches that have reportedly revealed the personal information of hundreds of thousands of people. In one instance, the private data of a billion Indians were reportedly offered for sale for as little as Rs500 (less than $8). The government has, however, denied that any such leaks have taken place.

India’s supreme court is hearing petitions against the forced linking of the controversial biometric programme with other services, but millions of Indians may have already lost control of their private information.