An IIT Kharagpur graduate who has been accused of hacking into the central identities data repository of the Unique Identification Development Authority of India’s (UIDAI) Aadhaar project gained access to the repository through the Digital India e-hospital initiative of the Ministry of Electronics and Information Technology, police investigation has revealed. Bengaluru Police on Thursday formally announced the arrest of Abhinav Srivastava — a 31-year-old hailing from Uttar Pradesh — in connection with a complaint of unauthorised access of the central identities data repository filed by the UIDAI on July 26.
The complaint to the police stated said that Srivastava had accessed UIDAI data without authorisation between January 1 and July 26 for an app called ‘eKYC Verification’. The app delivered demographic data like name, address, phone number of individuals from the central identities data depository of Aadhaar to authenticate unique identity numbers. It was placed on Google Play Store with the claim that it was developed by an entity called myGov linked to the start-up Qarth Technologies, which had been acquired by the taxi hailing service Ola in 2016.
Investigations by the police cyber crime unit since the detention of the software engineer revealed that Srivastava hacked into the Aadhaar-enabled e-hospital system created under the Digital India project of the Government of India to access the central identities data repository of UIDAI for verification of Aadhaar numbers for his ‘eKYC Verification’ app.
“As a highly qualified technical expert, Srivastava had a deep interest in developing Android mobile apps. He developed the Aadhaar e-KYC verification mobile application in January 2017 and earned about Rs 40,000 from advertisements,’’ Bengaluru Police Commissioner T Suneel Kumar said on Wednesday. “The accused accessed UIDAI data through the e-hospital application and its server. He provided Aadhaar information to people through the app.’’
“He managed to hack into the server of the e-hospital system and, using this system, he used to send verification requests to the UIDAI database for his own app. The UIDAI system allowed access under the impression that the authentication requests were coming from the e-hospital system and it was not apparent that the query was unauthorised,’’ a police source said.
At the time of his arrest, Srivastava was employed with Ola after the start-up Qarth Technologies he created, with a IIT Kharagpur batchmate Prerit Srivastava, was acquired by Ola in March 2016 in order to take over an e-wallet app called X-pay developed by the start-up. Srivastava was earning Rs 40 lakh a year at Ola, Kumar said. The source said, “He has developed as many as five mobile apps. We are investigating if the eKYC Verification app he developed was used in any form by Ola. The app was used by around 50,000 people after it was placed on Google Play Store.”
Police sources said they were also probing if Srivastava had been aided by anyone in hacking into the e-hospital system. The e-hospital system was created by the government to allow people to make electronic appointments in government hospitals. It has been used in three hospitals in New Delhi — AIIMS, Dr Ram Manohar Lohia Hospital and Safdarjung Hospital.
The e-hospital app, which is hosted on the cloud services of NIC, facilitates online appointments at hospitals “using eKYC data of Aadhaar number, the if patient’s mobile number is registered with UIDAI. In case the mobile number is not registered, it uses the patient’s name”. Srivastava’s eKYC Verification app mimicked the e-hospital app in accessing the identity authentication services of UIDAI.