Billion people at risk? Indian citizens' ID data selling for $8
The Tribune, which is based in Chandigarh, reported that one of its correspondents was able to buy a login ID and password for the Aadhaar system via a Whatsapp group.
According to the publication, a correspondent paid just 500 Indian rupees, around $8, to an unknown “agent,” who facilitated access to individual names, addresses, photo and contact details on the Aadhaar portal system.
It’s suggested that a person or persons with the ability to appoint an administrator to the system may be behind the incident, during which the reporter was given the chance to print an unauthorized Aadhaar card.
The Unique Identification Authority of India, the government programme which manages the deduplication ID system, denies a data breach. It described The Tribune article as “a case of misreporting”.
No #Aadhaar data breach; Aadhaar data including biometric information is fully safe and secure: @UIDAI, denying report by @thetribunechd, saying it is a case of misreporting 1/2 pic.twitter.com/2d4ORHqqMh— PIB India (@PIB_India) January 4, 2018
However, it added that a search facility for grievance procedures, which was given to designated personnel and state government officials, may have been misused.
The grievance redressal search “gives only limited access to name and other details and has no access to biometric details,” according to the UIDAI.
“UIDAI reassures that there has not been any data breach of (the) biometric database which remains fully safe and secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics,” the government issued statement read.
More than 1.1 billion people are enrolled on the Aadhaar system. Designed to weed out identity fraud in the densely populated nation, the Aadhaar identity card contains 12 digits unique to each Indian resident.
According to the UIAI website, the Aadhaar system contains biometric data – scans of people’s fingerprints, irs and facial features. Demographic information such as name, date of birth, age, gender and address are also stored by authorities.
The Tribune has since responded to the accusations of “misreporting” by saying that the UIAI’s denial “flies in the face” of the facts.
Stories related to Tribune’s Aadhaar Exposé•Rs 500, 10 minutes, and you have access to billion Aadhaar details https://t.co/F8vkCsmP98•UIDAI says Tribune story ‘misreporting’, read how that is wrong https://t.co/kc60kErycq (1/2) | #securitybreach | #AadhaarData— The Tribune (@thetribunechd) January 4, 2018
In a lengthy rebuttal, the newspaper added that the UIAI’s acknowledgement of misuse with regards to a search facility raises concerns about Aadhaar security. “The fact is that it has been ‘misused’ to steal data – personal information such as name, date of birth, address, PIN, photo, phone number, e-mail – at will, for any Aadhaar number,” The Tribune stated.
“Its [UIAI] second claim… That they are able to track all those who access the data only suggests that they will now be able to nab the people involved in the racket. But that does not change the fact that a large number of people have been accessing the data in an unauthorized manner.”
“Also, the tracking system obviously never realized that unauthorized people were accessing the data.”