In 2010 India commenced scanning personal details like names, addresses, dates of birth, mobile numbers, as well as also more, along with all 10 fingerprints as well as also iris scans of its 1.3 billion citizens, into a centralized government database called Aadhaar to create a voluntary identity system. On Wednesday This kind of database was reportedly breached.
The Tribune, a local Indian newspaper, published a report claiming its reporters paid Rs. 500 (approximately $8) to a person who said his name was Anil Kumar, as well as also who they contacted through WhatsApp. Kumar was able to create a username as well as also password in which gave them access to the demographic information of nearly 1.2 billion Indians who have currently enrolled in Aadhaar, simply by entering a person’s unique 12-digit Aadhaar number. Regional officers working with the Unique Identification Authority of India (UIDAI), the government agency responsible for Aadhaar, told the Tribune the access was “illegal,” as well as also a “major national security breach.”
A second report, published on Thursday by the Quint, an Indian news website, revealed in which anyone can create an administrator account in which lets them access the Aadhaar database as long as they’re invited by an existing administrator.
Enrolling for an Aadhaar number isn’t mandatory, yet for months, India’s government has been coercing its citizens to sign up for the program by linking access to essential services like food subsidies, bank accounts, cell phone numbers, as well as also health insurance, among various other things, to Aadhaar. Critics have slammed the program for its ability to violate the privacy of Indians as well as also for its ability to turn India into a surveillance state, yet in which hasn’t stopped both Indian companies as well as also Silicon Valley giants like Uber, Airbnb, Microsoft, as well as also Amazon coming from figuring out ways to integrate the item with their products as well as also services in India.
Hours after the Tribune‘s report was published, India’s Narendra Modi-led Bharatiya Janata Party dismissed the item as “fake news.”
In a statement provided to BuzzFeed News, the UIDAI said the item “denied” the Tribune report as well as also in which “Aadhaar data including biometric information is usually fully safe as well as also secure.” The agency claimed in which the newspaper had misused a database search mechanism available only to government officials as well as also said in which the item could pursue legal action against people responsible for the unauthorized access.
“Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded,” said the statement. “Aadhaar data is usually fully safe as well as also secure as well as also has robust, uncompromised security. The UIDAI Data Centres are infrastructure of critical importance as well as also [are] protected accordingly with high technology conforming to the best standards of security as well as also also by legal provisions.”
Nikhil Pahwa, editor of Indian technology news website Medianama as well as also a staunch Aadhaar critic, pushed back against This kind of statement. “What The Tribune story suggests in which there was unauthorized access to the Aadhaar database, because someone was able to pay for in which access. I’m not sure if the UIDAI is usually trying to weasel out of This kind of situation by saying in which This kind of wasn’t technically a ‘breach,’” he said.
BuzzFeed News tracked down Kumar, who said his name was a pseudonym. Kumar told BuzzFeed News in which he had provided access to the Aadhaar database to seven various other people besides the Tribune reporter within the last week for Rs. 500 a pop yet claimed in which he didn’t know he was compromising people’s privacy as well as also breaching the law when he did so. “I paid Rs. 6,000 (approximately $95) to an anonymous person in a WhatsApp group I was a part of to create an username as well as also password to the Aadhaar database for myself,” he said. “I was told in which I could then create as many usernames as well as also passwords to access the database as I wanted. I sold each of them to make my Rs. 6,000 back.”
Critics of the program are outraged at the breach. “We have been warning for a while about the single access problem with the design of the [Aadhaar server],” Meghnad S, a spokesperson for SpeakForMe.in, an online movement in which lets Indians automatically send emails to their member of Parliament, bank, mobile carrier, as well as also others to protest against the Aadhaar program, told BuzzFeed News.
Meghnad said the Aadhaar Act, which governs the program, imposes penalties on illegal access yet does not prevent illegal access within the first place.
“Once the database is usually breached, the damage is usually already done,” he said. “In its hurry to make Aadhaar mandatory as well as also not ensuring data safety, the government has allowed shady vendors to exploit This kind of data for their own gains.”
Security researcher Troy Hunt told BuzzFeed News in which any large aggregations of personal data such as Aadhaar always pose a risk to the privacy of citizens, as well as also cited the example of a person in a privileged position selling access to Australia’s Medicare system last year.
“The government in India will need to assess how much data was accessed by unauthorised parties, who was responsible, as well as also currently what actions should be taken to protect impacted parties,” Hunt said.
This kind of isn’t the 1st time in which Aadhaar data has been exposed. In November 2017, over 0 Indian government websites accidentally exposed Aadhaar-linked demographic details of an unknown number of Indians, an RTI query — India’s variation of the FOIA — revealed. At the time, the UIDAI issued a press Discharge titled: “Aadhaar data is usually never breached or leaked.”