Reported Aadhaar data breach has details as far back as 2014
French security researcher Elliot Alderson helped in uncovering the leak
The SBI recently alleged that UIDAI data has been misused to generate unauthorised Aadhaar cards
Yet another case of leaked Aadhaar details has emerged in India, with TechCrunch claiming that the unique identification numbers (UIN) of government workers in Jharkhand were left exposed and without a password on the state government’s website.
The reported breach, which had details going as far back as 2014, allowed anyone to access the names, job titles, and partial phone numbers on 166,000 workers. Besides, the filenames of the workers’ photos — which too were exposed on the site — were their Aadhaar numbers.
Although the data leak isn’t a direct breach of the central database run by Aadhaar’s regulator — the Unique Identification Authority of India (UIDAI) — the incident raises concern about how this personal data is being handled.
According to TechCrunch, it’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system.
Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, participated in uncovering the leak. Using less than a hundred lines of the Python code, Robert showed that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.
Aadhaar Blame Game
Security concerns over Aadhaar seem to be a never-ending tale of claims and counterclaims. Just this week, India’s largest bank, SBI, alleged that data from the UIDAI had been misused wherein the logins and biometrics of Aadhaar operators were used to generate unauthorised Aadhaar cards. The UIDAI refuted these claims, maintaining that everything was secure at their end.
Incidentally, it also later emerged that the SBI had an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.
According to the Supreme Court’s ruling from September, Aadhaar is mandatory only for filing income tax returns and for the allotment of PAN. It won’t be essential for opening bank accounts or getting SIM cards from telecom operators. The effect of this judgement, however, doesn’t seem to dampen the government’s push to make Aadhaar the cornerstone of its schemes.
Union minister of law, electronics, and information technology Ravi Shankar Prasad is planning to make it mandatory for Indians to link their Aadhaar card with their driving licences.
India’s former national security adviser, MK Narayanan, recently raised caution on the use of Aadhar cards, saying that the use of these cards is becoming more ubiquitous every day. It is also getting increasingly easier to mask an identity online.
