Sensitive user data from Aadhaar, India’s enormous biometric and demographic database, was being sold for the equivalent of $8 USD on Whatsapp social media group. According to an investigation from a local reporter, one could get access to the Aadhaar database of more than one billion users by just paying INR 500 and a hardcopy by paying an additional INR 300 ($4.5).
1.19 Billion Individual’s Details for $8
The breach was revealed to the public when a reporter from The Tribune made a payment of just INR 500 using a mobile payment gateway, Paytm. It took only 10 minutes for an agent to create a gateway and login credentials to access the Aadhaar details.
By entering the provided credentials, the reporter was able to get all details on any person within the Unique Identification Authority of India (UIDAI) database. This data included personal information like names, contact numbers, addresses, photos, emails, and more.
Additionally, the sting operation team paid an extra INR 300 to get access to custom “software” that could provide users with the exact format of an Aadhaar card with stolen information.
“Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach,” said Sanjay Jindal, Additional Director-General at UIDAI’s regional office in Chandigarh.
Accordingly, the UIDAI has filed a police complaint against the people involved in the “racket,” but those responsible have not yet been identified.
A Single ID for All Details
The Indian government is already trying to connect the so-called “Aadhaar number” with the individual’s bank account, phone number, permanent account number (PAN), and more.
To this end, more than 1.19 billion Indians are having a twelve digit Unique-Identity number, i.e. Aadhaar Number, provided to them. More than 99% of the Indian Adult population has enrolled in Aadhaar, per recent statistics from the Indian government.
It is not the first time there have been breaches into the Aadhaar database. In May 2017, a similar breach compromised the Aadhaar data of 130 million citizens, including bank account details leaked from government websites.
UIDAI vs Tribune Reporter
At press time, UIDAI has denied the results of the Tribune‘s sting operation, calling it a case of misreporting. The firm guaranteed that there had been no Aadhaar data leak and all relevant information is safe and secure.
UIDAI stated that some designated officials might have misused the information provided to them and no sensitive information can be accessed without biometrics.
@UIDAI maintains complete log & traceability of the facility, any misuse is traceable. Legal action taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details @thetribunechd @rsprasad @ceo_uidai
— Aadhaar (@UIDAI) January 4, 2018
“UIDAI maintains complete log & traceability of the facility, any misuse is traceable. Legal action is taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details,” the organization tweeted.
The statement seems to be asserting that a breach is only serious if it includes the biometric details like fingerprint or Iris scans. Although, individuals’ who have personal information like email, phone number, and date of birth accessible without login might disagree.
What’s your take? Do you think the government should better understand the implications of storing massive amounts of user data? Sound off in the comments below.
Images via Wikimedia, Scroll.in