A vast majority of Indian citizens—more than a billion people—are potentially affected by the exposure of the country’s biometric database.
An Indian newspaper reporter uncovered the issue as part of an investigative effort into the security of the Unique Identification Authority of India (UIDAI), which serves as the issuing authority for Aadhaar cards. These voluntary cards have a 12-digit unique identification number, strengthened by a fingerprint and iris scan of the recipient. The cards are used for authentication with several state-owned entities and departments, including those responsible for subsidies and the national health service, as well as public sector banks and other organizations, such as the Life Insurance Corporation of India. UIDAI has repeatedly touted the security of the system.
During the course of the investigation, The Tribune of India was able to obtain administrator-level credentials for accessing the entirety of the database for just $8.
“[We] ‘purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far,” the paper explained. “It took just Rs 500 [around $8], paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI..., including name, address, postal code (PIN), photo, phone number and email.”
The Tribune team also paid an additional $5 to gain access to the ability to print facsimiles of specific Aadhaar cards, after entering the Aadhaar number of any individual.
UIDAI publicly downplayed the issue, saying it contained “mere demographic” details—and no biometric data—so the fake cards would be of limited use in most cases.
Even so, a government official told the Times of India that UIDAI has restricted the access of about 5,000 official administrators for the Aadhaar portal as it overhauls its system, indicating that the 'service' that the Tribune bought was just one of these officials’ log-ins that had been stolen. Previously, any administrator had unfettered access to the demographics of anyone in the system. To shut down the problem, Aadhar access going forward will be authenticated by the fingerprint of the Aadhaar holder and the data available will be restricted to that one person.
Meanwhile, the reporter that broke the story has been slapped with a criminal complaint.
“We are alarmed that…the agency is even planning to prosecute the reporter who exposed the danger to privacy that all Indian citizens face,” said Marty Kamden, CMO of NordVPN, via email. “It’s a brutal violation of freedom of speech and those who defend it. Also, diminishing the scale of this breach shows that Indians really cannot trust their government with their data.”
He added that these kinds of personal details can be used for a variety of criminal activities.
“The data can be used for phishing attacks or to blackmail the victims of the breach,” Kamden said. “When this happens to over a billion people, it can cause complete chaos. It seems that Indian government is not particularly concerned about this violation of privacy of all citizens, so our advice is to encourage Indians to take their online privacy into their own hands.”
Sanjay Beri, CEO and founder of security company Netskope, had a similar take: “Regardless of whether the Indian government is correct and no biometric information was included in the database accessed by The Tribune of India, the opportunity for fraud stemming from this incident is immense. Sure, criminals may not be able to create exact duplicates of an individual’s Aadhaar ID card, but they still have all the data necessary to conduct highly targeted phishing attacks and other identity fraud. With the Aadhaar numbers, addresses, phone numbers, emails and photos of over a billion individuals, hackers could easily imitate the agency in order to convince unsuspecting citizens to turn over additional data—like their banking information.”