In 2009 India started scanning personal details like names, addresses, dates of birth, mobile numbers, and more, along with all 10 fingerprints and iris scans of its 1.3 billion citizens, into a centralized government database called Aadhaar to create a voluntary identity system. On Wednesday this database was reportedly breached.
The Tribune, a local Indian newspaper, published a report claiming its reporters paid Rs. 500 (approximately $8) to a person who said his name was Anil Kumar, and who they contacted through WhatsApp. Kumar was able to create a username and password that gave them access to the demographic information of nearly 1.2 billion Indians who have currently enrolled in Aadhaar, simply by entering a person’s unique 12-digit Aadhaar number. Regional officers working with the Unique Identification Authority of India (UIDAI), the government agency responsible for Aadhaar, told the Tribune the access was “illegal,” and a “major national security breach.”
A second report, published on Thursday by the Quint, an Indian news website, revealed that anyone can create an administrator account that lets them access the Aadhaar database as long as they’re invited by an existing administrator.
Enrolling for an Aadhaar number isn’t mandatory, but for months, India’s government has been coercing its citizens to sign up for the program by linking access to essential services like food subsidies, bank accounts, cell phone numbers, and health insurance, among other things, to Aadhaar. Critics have slammed the program for its ability to violate the privacy of Indians and for its ability to turn India into a surveillance state, but that hasn’t stopped both Indian companies and Silicon Valley giants like Uber, Airbnb, Microsoft, and Amazon from figuring out ways to integrate it with their products and services in India.
Hours after the Tribune's report was published, India’s Narendra Modi-led Bharatiya Janata Party dismissed it as “fake news.”
In a statement provided to BuzzFeed News, the UIDAI said it “denied” the Tribune report and that “Aadhaar data including biometric information is fully safe and secure.” The agency claimed that the newspaper had misused a database search mechanism available only to government officials and said that it would pursue legal action against people responsible for the unauthorized access.
“Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded,” said the statement. “Aadhaar data is fully safe and secure and has robust, uncompromised security. The UIDAI Data Centres are infrastructure of critical importance and [are] protected accordingly with high technology conforming to the best standards of security and also by legal provisions.”
Nikhil Pahwa, editor of Indian technology news website Medianama and a staunch Aadhaar critic, pushed back against this statement. “What The Tribune story suggests that there was unauthorized access to the Aadhaar database, because someone was able to pay for that access. I'm not sure if the UIDAI is trying to weasel out of this situation by saying that this wasn't technically a ‘breach,’” he said.
BuzzFeed News tracked down Kumar, who said his name was a pseudonym. Kumar told BuzzFeed News that he had provided access to the Aadhaar database to seven other people besides the Tribune reporter in the last week for Rs. 500 a pop but claimed that he didn’t know he was compromising people’s privacy and breaching the law when he did so. “I paid Rs. 6,000 (approximately $95) to an anonymous person in a WhatsApp group I was a part of to create an username and password to the Aadhaar database for myself,” he said. “I was told that I could then create as many usernames and passwords to access the database as I wanted. I sold each of them to make my Rs. 6,000 back.”
Critics of the program are outraged at the breach. “We have been warning for a while about the single access problem with the design of the [Aadhaar server],” Meghnad S, a spokesperson for SpeakForMe.in, an online movement that lets Indians automatically send emails to their member of Parliament, bank, mobile carrier, and others to protest against the Aadhaar program, told BuzzFeed News.
Meghnad said the Aadhaar Act, which governs the program, imposes penalties on illegal access but does not prevent illegal access in the first place.
“Once the database is breached, the damage is already done,” he said. “In its hurry to make Aadhaar mandatory and not ensuring data safety, the government has allowed shady vendors to exploit this data for their own gains.”
Security researcher Troy Hunt told BuzzFeed News that any large aggregations of personal data such as Aadhaar always pose a risk to the privacy of citizens, and cited the example of a person in a privileged position selling access to Australia’s Medicare system last year.
“The government in India will need to assess how much data was accessed by unauthorised parties, who was responsible, and now what actions should be taken to protect impacted parties,” Hunt said.
This isn't the first time that Aadhaar data has been exposed. In November 2017, over 200 Indian government websites accidentally exposed Aadhaar-linked demographic details of an unknown number of Indians, an RTI query — India's version of the FOIA — revealed. At the time, the UIDAI issued a press release titled: “Aadhaar data is never breached or leaked.”