Introduction

The Government of India has successfully mitigated a major cybersecurity threat in its official Income Tax e-filing portal, preventing what could have been one of the largest data breaches in the country’s digital infrastructure.

In September 2025, security researchers Akshay CS and Viral discovered a serious vulnerability that exposed sensitive taxpayer information due to an Insecure Direct Object Reference (IDOR) flaw.

The Vulnerability: What Went Wrong

The flaw allowed any logged-in user to manipulate the Permanent Account Number (PAN) parameter in network requests and gain unauthorized access to the personal and financial data of other taxpayers.

This meant that by changing the PAN value, users could access another individual’s confidential details without needing special permissions or credentials — a classic example of an IDOR vulnerability that compromises data privacy.

Data Exposed by the Flaw

The vulnerability potentially exposed a vast amount of sensitive data, including:

• Full names and residential addresses

• Phone numbers and email IDs

• Dates of birth

• Bank account details

• Aadhaar numbers

• Tax filing information

Alarmingly, it also allowed access to data from users who had not yet filed their returns for the ongoing financial year 2024–25.

Swift Action by CERT-In and the Income Tax Department

Once the issue was reported to the Indian Computer Emergency Response Team (CERT-In), the Income Tax Department of India acted promptly.

By early October 2025, the vulnerability was patched and secured, effectively preventing any misuse or data breach. Authorities confirmed that no taxpayer data was compromised, crediting the swift coordination between security researchers and government cybersecurity teams.

Scale and Significance of the Threat

The Income Tax portal serves over 135 million registered users, with approximately 76 million tax filings recorded in the 2024–25 fiscal year.

Had the flaw been exploited, it could have resulted in one of the largest data breaches in India’s digital history, exposing millions of citizens and businesses to risks such as:

• Identity theft

• Financial fraud

• Targeted phishing attacks

India’s Growing Focus on Cybersecurity

This incident highlights the growing importance of cybersecurity in government digital systems.

With the increasing digitization of public services under initiatives like Digital India, experts stress that regular vulnerability assessments, ethical hacking programs, and bug bounty collaborations with independent researchers are essential to safeguard citizens’ data.

Conclusion

The swift response from the Government of India, CERT-In, and the Income Tax Department prevented a potentially catastrophic data breach.

This case underscores the critical need for strong cybersecurity frameworks, ethical disclosure channels, and responsible vulnerability management — especially in government platforms handling sensitive personal and financial information.