Aadhaar, India’s massive biometric database, is facing new allegations of compromise after local journalists reported paying the equivalent of $8 in Indian rupees for full administrative access.
With nearly 1.2 billion assigned numbers, the Aadhaar program, launched in 2009, is the largest national database of people in the world. The unique 12-digit codes assigned to citizens and other Indian residents are maintained by the Unique Identification Authority (UIDAI) and are linked to a wealth of personal information, including biometric data such as fingerprints and iris scans.
The program was intended to give Indian residents easy access to social programs for healthcare, education, and general welfare; however, the program began rapidly expanding in 2014, not long after the Indian National Congress (INC) performed terribly in parliamentary elections. The government began seeding Aadhaar numbers into numerous government databases and, as BuzzFeed’s Pranav Dixit reports, major tech companies such as Amazon and Uber have sought access for their own purposes.
Aadhaar has suffered breaches before; Gizmodo reported 130 million Indian residents at risk after a leak in biometric system data last spring. But fresh reports from local sources, highlighted by Dixit on Thursday, indicate security around the system may be even worse than imagined.
Journalists at local paper The Tribune report that for Rs 500 (roughly $8), they were able to purchase a username and password that gave them full access to the Aadhaar systems from a man they contacted using WhatsApp. Needless to say, UIDAI officials were concerned and, according to The Tribune, authorities considered this a “major national security breach.”
A second report, published by Indian news website The Quint, detailed a security loophole that gave anyone with administrative access the ability to grant anyone else full access. “Let’s say [Person X] gives access to person Y and person Z,” the site explained: “Persons Y and Z can then log onto the Aadhaar portal and add Persons A, B, C, and so on.” With these privileges, users would have access to information like names, addresses, dates of birth, parents’ names, gender, mobile numbers, language—but not iris scans or fingerprint data.
Naturally, most of the controversy around Aadhaar is focused on the potential for privacy invasion, but identity theft is also a major concern. In an interview last year, an INC member told Gizmodo that while the system itself is “amazingly modern” and, in the right hands, capable of much good, noticeably absent are privacy laws and the regulatory framework one would expect to follow such a massive data collection effort.
What’s more, a high-tech system designed to pair uniquely assigned numbers with biometric data was turning—due to a lack of biometric sensors around the country—into something more akin to the Social Security numbers used in the United States, which is, of course, very problematic. Basically, Aadhaar numbers are not often checked against the fingerprints or iris scans of the cardholders, which makes these newly reported security lapses in the system a truly significant event.
Last year, a breach at four national- and state-run databases leaked as many as 130-135 million Aadhaar numbers. And this was a month after a spreadsheet, which could found using Google, leaked containing thousands of numbers, addresses, and tax ID numbers.
Update, 3pm: UIDAI is insisting publicly that there was no “breach,” just a potential case of unauthorized use. So they’re quibbling over semantics. A data breach occurs when an organization loses control over its data; when someone who is not authorized manages to obtain it. For example: Yesterday, the US Department of Homeland Security announced that information belonging to thousands of federal employees had been found in the possession of a former employee who should not have had access to that information. That is a data breach.
UIDAI appears to be saying that it wasn’t hacked, i.e., the victim of a cyberattack, and that falls in line with what we’ve seen and reported so far. But it has also insisted that anyone who accessed the Aadhaar system can be traced. That’s simply not how things works. Anonymity online is fairly easy to achieve.
As Business Today notes, similar denials about breaches have been issued by UIDAI in the past following leaks:
This is in line with the UIDAI’s stand on previous cases of Aadhaar data leak, like the November 2017 fiasco when 210 government websites were found making Aadhaar info public. Back then, too, the official stand was that “biometric information is never shared and is fully secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics”.
This statement appears to be asserting that a leak is only critical if it includes fingerprints or iris scans. But the people whose addresses, phone numbers, parents’ names, and dates of birth may have been left accessible without authorization might disagree. What’s important in a data breach is the information that’s compromised; not the bits you managed to keep safe.