French cybersecurity expert Baptiste Robert who goes by the alias, Elliot Anderson, has reported a massive Aadhaar data breach in the website of Indian Oil Corporation-owned LPG brand, Indane.
According to Anderson’s blog, Aadhaar details of over 6.7 Mn users containing details such as names, addresses and the Aadhaar numbers were leaked on Indane’s website. The leak happened through the section of the website meant for Indane dealers and distributors, which can be accessed through a username and password.
“Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers,” Anderson wrote.
This is not the first time that Anderson has pointed out loopholes in the security of the Aadhaar database. Last year, Anderson had uploaded website links containing the Aadhaar data of several thousand people on Twitter. He also uploaded a tutorial video showing how one can breach Aadhaar data in a minute.
This is the second Aadhaar data breach that has been reported this month (February). Two weeks back, unique identification numbers (UIN) of government workers in Jharkhand were publicly exposed through a state government website which was also a development that Anderson helped uncover.
Aadhaar: An Ongoing Fiasco
Last year, UIDAI CEO Ajay Bhushan Pandey had said to the Supreme Court that personal data acquired during enrolment, including biometrics, were encrypted and couldn’t be hacked adding that “it would take more than the age of the universe to break one encryption”.
On September 2018, the top court in its landmark judgement on Aadhaar validation, had directed that Aadhaar will only be mandatory for the filing of income tax returns and PAN linking. Meanwhile union minister of law, electronics and information technology, Ravi Shankar Prasad has said that the central government is planning to link Aadhaar with driving licences of people.
Last month, the State Bank of India (SBI), had demanded that UIDAI check an alleged “misuse of Aadhaar biometrics,” and find the causes that led to its misuse. It was also reported that some officials, who were appointed by the SBI in the Chandigarh region and were responsible for Aadhaar enrolment, had been misusing their operator ID to generate Aadhar cards using fraudulent documents during the period between November 9 and November 17, 2018.
Meanwhile, the Aadhaar Amendment Bill which had already been passed by the Lok Sabha has lapsed amid other issues taking predominance ahead of the upcoming general election to happen in a few months and thus the bill could not be introduced in the Rajya Sabha. The opposition in Lok Sabha had earlier said that the bill contradicted the Supreme Court’s verdict on Aadhaar.