KMB Projects

Dear Shiva,

Kindly close the below mentioned observation points in KMB server.

Observations :

• Physical and Scanned copy of Aadhaar were not Encrypted: As per UIDAI Circular No 11020/205/2017 dated 25th July 2017 and Frequently Asked Question (FAQs), The agencies need to keep the scanned copies encrypted and ensure security of both scanned copies and physical copies as per Aadhaar Act 2016 and Regulations.
• Reviewed security control for sample BC ‘NOCPL’ we noted that the KYC document which are scanned and uploaded into MLOS application are not encrypted when stored on the local system.

• Storage of Customer Aadhaar Numbers: As per UIDAI Circular No. 11020/205/2017 dated 25-July-2017, All entities / agencies are directed to mandatorily store Aadhaar Numbers and any connected Aadhaar data only on a separate secure database/vault/system. Aadhaar numbers shall not be stored in any other systems. The Aadhar Number and any connected data maintained on the Aadhar Data Vault shall always be encrypted.

• On review we noted the customer Aadhar number is converted into a 14 digit reference number before it is stored. However, we observed that same is not stored on a separate database / vault / system. Instead it is getting saved in the same application database.

• Customer Details Stored in Clear Text: On review we observed PII details shared by the customer for availing loan from the Business Correspondent “BC” (NOCPL) i.e. Voter ID, Date of Birth are stored in clear text in the database of the application used by BC i.e. PHP My Admin