Aadhaar Info Available For Rs 500 In Just 10 Minutes? UIDAI Refutes All Reports Of Breaches
All your personal data may, unfortunately, be up for grabs from anywhere across India.
India¡¯s Aadhaar card system isn¡¯t just supposed to be a catch-all form of identification, it¡¯s also been promised to be ¡°fully secure¡±, as would be expected for personal information of this kind. Unfortunately, UIDAI officials seem to have ignored the most basic rule of cybersecurity: the weakest link is always humans.
According to several reports, your Aadhaar data isn¡¯t nearly as safe as UIDAI would have you believe. For just Rs 500, anyone can access all of your personal details whenever they feel like. In fact, services that offer Aadhaar information purchases may have compromised any number of the over a billion IDs created so far.
In the report, the Tribune investigative team details how it made contact with the agent of a group illegally selling Aadhaar data. After a simple Rs 500 payment on Paytm, the agent then created a login gateway for them, complete with a username and password to enter.
Of course, the UIDAI officials in Chandigarh were aghast, claiming no one should have any login access to the data repository aside from the Director-General and Assistant Director-General of the group. So just how did these third parties come to gain the power they now wield?
As it turns out, the problem seems to have begun about six months ago. Village Level Entrepreneurs, hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, were tasked with making Aadhaar cards across the country. Unfortunately for them, the job was then taken away and handed to solely post offices and banks, in order to maintain the ID scheme¡¯s security.
The problem seems to be that, the authorities didn¡¯t properly revoke admin permissions from these VLE¡¯s when they fired them, leaving disgruntled former employees with the keys to the kingdom. Whether they were using this power to illegally issue Aadhaar cards on the side is unconfirmed, but some have clearly taken things a step further and providing others access to information they should never be able to see.
So, in short, everyone is at risk, no one¡¯s information is safe, and there¡¯s no real way to stop the guys responsible. If the Aadhaar scheme was really as secure as it was touted, the authorities should have been focused on precautionary measures as much as hacking protections.
Unfortunately now, it¡¯s hard to see how the situation can be salvaged, short of cancelling the entire scheme and purging the data archives, yet even that isn¡¯t a surefire way to protect your data. So, you can expect the authorities¡¯ investigation to carry on for the next few months. Until then, what can you really do? Probably not a damned thing.
Update: As of a little while ago, the UIDAI provided a statement to ANI calling the entire thing a case of "misreporting".
Unique Identification Authority of India denies media report titled ¡°Rs 500, 10 minutes, & you have access to billion Aadhaar details¡± & calls it is a case of misreporting. UIDAI assures that there has not been any Aadhaar data breach & that the data is fully safe & secure: UIDAI pic.twitter.com/yvP8HQy180
¡ª ANI (@ANI) January 4, 2018
It followed that within the hour with a tweet from it's own handle repeating that once more.
Tribune¡¯s Story ¡°Rs 500, 10 minutes, and you have access to billion Aadhaar details¡± is a case of misreporting. No biometric data breach @thetribunechd @rsprasad @ceo_uidai @timesofindia @firstpost @IndiaToday @ZeeNews
¡ª Aadhaar (@UIDAI) January 4, 2018
Note the clarification here on "biometric data". Why? Because just two minutes later UIDAI had a different tune to sing.
Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details @thetribunechd @rsprasad @ceo_uidai @timesofindia @firstpost @IndiaToday @ZeeNews @htTweets @TheQuint
¡ª Aadhaar (@UIDAI) January 4, 2018
If this means what's implied, that there was in fact a misuse of admin powers and data was leaked, then there's been absolutely no "misreporting". After all, the original investigative piece made no mention of any biometric data being accessible. Not like that's particularly great, after all a thief can achieve a lot with your personal details even without your thumbprint.
So yeah, you need to still be worried about this fiasco.