Telegram Group Join Now

Relevance: GS-II (e-Governance, Transparency); GS-III (Cybersecurity, Internal Security) Source: Cybersecurity & Legal Reviews, 2026

1 · What is the news in simple words?

The UMANG app is one of India’s biggest digital platforms, acting as a single-window portal where citizens can access over 2,400 government services—from provident funds to gas bookings.

However, independent cybersecurity researchers recently discovered severe design flaws in the app’s underlying code. These hidden loopholes accidentally exposed the personal details and financial records of millions of citizens across multiple government databases!

2 · What kind of data was exposed?

Because of a leaky Application Programming Interface (API)—the invisible bridge that connects different software systems—several critical citizen datasets were left unprotected in plain text:

The EPFO Module
UAN Numbers Exposed
The Employees’ Provident Fund Organisation (EPFO) is UMANG’s most popular service. The technical breach left the Unique Account Numbers (UAN) of millions of salaried employees vulnerable to hackers.
Plain-Text Leaks
National Identity IDs
Critical 12-digit national identity numbers were found exposed in unencrypted, readable text within third-party services linked to the app, violating statutory storage rules.
The Quick Fix
Security by Obscurity?
The government quickly added basic encryption and restricted how fast people could request data. But researchers warned these were temporary band-aids that failed to fix the core coding flaws.
The Real Danger
Scams and Financial Theft
When fraudsters get hold of official ID numbers and UANs, they can launch convincing phishing scams, steal identities, or attempt to change bank details to siphon off hard-earned pension money.

  • What should be done? Instead of relying on secrecy, government portals must adopt a ‘Zero-Trust’ architecture—meaning every digital request is double-checked and strictly encrypted by default.
  • Encouraging Ethical Hackers: India urgently needs a formal Vulnerabilities Disclosure Program (VDP) to protect and reward well-meaning tech experts who report software bugs to the government before criminals find them.

UPSC Prelims Quick Facts
DPDP Act, 2023 Digital Personal Data Protection Act. It places a strict legal duty on “Data Fiduciaries” (including government apps) to safeguard user data, imposing heavy fines for security failures.
CERT-In Computer Emergency Response Team, India. The national nodal agency operating under MeitY responsible for handling cyber incidents and issuing security alerts.
NeGD National e-Governance Division. An independent division under MeitY that designs and manages Digital India platforms like UMANG and DigiLocker.
Right to Privacy In the landmark K.S. Puttaswamy judgment, the Supreme Court ruled that privacy is a Fundamental Right under Article 21, obligating the state to protect citizens’ digital records.

MCQ Practice Question
Q. With reference to India’s digital governance and cybersecurity architecture, consider the following statements:

  1. The National e-Governance Division (NeGD) is directly responsible for developing and managing the UMANG platform.
  2. Under the Digital Personal Data Protection (DPDP) Act, 2023, government bodies are completely exempt from financial penalties in the event of a personal data breach.
  3. CERT-In functions as the national nodal agency for responding to computer security incidents under the Ministry of Electronics and Information Technology.

Which of the statements given above is/are correct?
(a) 1 and 2 only    (b) 1 and 3 only    (c) 2 and 3 only    (d) 1, 2 and 3

Answer: (b) 1 and 3 only

  • Statement 1 — Correct: NeGD, an autonomous business division under MeitY, develops and maintains core Digital India applications including UMANG and DigiLocker.
  • Statement 2 — Incorrect (the trap): The DPDP Act places a legal fiduciary duty on state agencies as well. While the state has specific exemptions for national security or law enforcement, government platforms like UMANG or EPFO are not blanketly exempt from maintaining reasonable security safeguards to prevent data breaches.
  • Statement 3 — Correct: CERT-In is officially the statutory nodal agency under MeitY for cyber incident response and vulnerability management across the country.

Start Yours at Ajmal IAS – with Mentorship StrategyDisciplineClarityResults that Drives Success

Your dream deserves this moment — begin it here.