GSTN Security 101: How secure is your data?

GSTN Security


With GST taking all the taxation formalities digital, concerns of data security are obvious. ‘How secure is the data?’ is the center of many conversations. With the recent series of malware attacks, people also ask “How vulnerable is GSTN to ransomware attacks?”

In this blog, we address the security concerns based on data confidentiality and protection against malware.

Firstly, one needs to understand that there are two different infrastructures of GSTN specifically in the context of how the ecosystem outside GSTN interacts with GSTN for returns filing etc.

  1. The API Server: This server is primarily used by all the GST Suvidha Providers and the Application Service Providers. These interact with the external world primarily using JSON data streams over HTTP.
  2. The GSTN portal: The portal itself, where the files are sent

Secondly, this blog addresses the concerns of security in three divisions for clarity-

Confidentiality of trade information

Access to invoice and trade data information is restricted to the taxpayer and the tax officer alone

The return filing system followed by the GST requires for organisations to share multiple details present on the invoice format that starts with invoice value stating the unit price of goods or services to the line item details in case of goods; and other financial details of the business. Information of this nature is something that organisations consider extremely confidential as it could impact the business’ ability to remain competitive in the market. Security of this information has been acknowledged and taken into consideration by the GSTN.

To ensure confidentiality, the GSTN has set protocols that allow access only to the taxpayer and the tax officer at the administration end. The only information available to any business is what they communicate to or receive from the GSTN, which is tracked based on the GSTIN.

Security of data during transfer

Use of JSON data streams over HTTP

‘But how will data security be monitored during GST return filing?’ is one of the few questions that is being asked by many taxpayers.

The first step taken to ensure security at this stage is the regulation that the GSP is also not allowed to store any of the data during transmission. The second step is ensuring that the ASPs encrypt the data before initiating return filing. But the most stringent of measures taken is the use of JSON data streams over HTTP. While it is not impossible that a virus can propagate from this channel, the chances are extraordinarily low. Creation of a virus that can infect this channel will require in-depth knowledge of the software which actually parses the data. This is not public knowledge. Moreover, a vulnerability in that software has to be found which would allow some other malicious code to be executed. Time investment, with no guarantee of results, are strong deterrents to making this channel, the focus point of any attack.

Security of the GST Network (GSTN) in itself

The GSTN has some of the best security practices in place

The data visibility at the GSTN is restricted but is the GSTN vulnerable to malware? How does the network protect itself from malware attacks?

Linux-based systems with security measures to avoid malware attacks through excel uploads are likely to be in place. Linux systems are known to be far more secure than Microsoft platforms. Creating malware needs knowledge of the codes of the software that it is meant to infect. In case of Linux, this information is not general knowledge. This puts security at the infrastructure level itself. The next level of a security breach that can occur is malware, coded into the excel files transferred to the GSTN. This, however, can only be triggered by an action and the malware will have to be created with the system that it is intended to infect.

While these measures do not ensure that a security breach is impossible, it does make the task a lot more improbable. To support these measures, the GSTN will also be mostly likely to run periodic tests to find and plug any loopholes before there is a possibility of exploitation.