Aadhaar data allegedly ‘breached’ for Rs 500: All your questions answered

Aadhaar and its data security is once again facing criticism after a report alleged the entire data could be accessed after paying just Rs 500 to a third-party seller

By: Tech Desk | New Delhi | Published: January 4, 2018 3:50 pm
Aadhaar, Aadhaar data breach, Aadhaar data breach Rs 500, Aadhaar data access Rs 500, Aadhaar biometric, How to lock Aadhaar biometric Aadhaar and its data security under shadow after report shows entire database could be accessed after paying just Rs 500 to a third-party seller

Once again Aadhaar, India’s biometric identification system, is in the eye of  a storm after a report in Tribune India claimed how the entire data of 1 billion Indians could be accessed, or purchased, for just Rs 500 to a third-party claiming to offer the service. Following the report, which has raised concerns, the Unique Identification Authority of India has issued a denial that no such data breach took place and insisted that all “Aadhaar data including biometric information is fully safe and secure.

So what has happened with Aadhaar and is your data affected? Here’s a quick look.

What are the claims being made in the ‘Rs 500 for Aadhaar data’ news report? 

According to the Tribune report, third-party sellers operating on WhatsApp are selling access to the entire database of Aadhaar. The report claims these sellers created a gateway and a login access for The Tribune reporter, who was able to enter Aadhaar number of any individual and get all details, including photo, address, name, date of birth, etc. The report also claims they paid another Rs 300 to get access to a software to print the entire Aadhaar card itself. Indianexpress.com cannot independently verify the authenticity of the report.

In response, the UIDAI, in a statement, said: “UIDAI has given the said search facility for the purpose of grievance redressal to the designated personnel and state government officials to help residents only by entering their Aadhaar number/EID. UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken.”

UIDAI says this is how the reporter got access to the database

The Aadhaar authority might have denied a data breach per se, say like the one where cybercriminals gain unlawful access to the Aadhaar database. However, the statement adds that this particular case reported by the Tribune “appears to be an instance of misuse of the grievance redressal search facility.” So, yes, UIDAI has a search facility for the entire Aadhaar database, which is only supposed to be accessed by authorised personnel.

UIDAI is claiming they can trace how this access was given and will take legal action against those involved. The agency also claims this “grievance redressal search facility gives only limited access to name and other details and has no access to biometric details.

The body also claims just having someone’s Aadhaar number does not pose to “be a security threat or will not lead to financial/other fraud, as for a successful authentication, fingerprint or iris of individual is also required.”  The agency insists all Aadhaar data is protected with the best technology and security standards.

The reason for worry is that this is not the first time there have been reports of data leaks around Aadhaar, which should ideally remain private. Previously in November 2017, PTI reported that personal details of many Aadhaar users were made public on over 210 central and state government websites. The report added that UIDAI in response to an RTI query, said it took note of the breach and got the data removed from those websites.

The body had said at the time, “It was found that approximately 210 websites of central government, state government departments including educational institutes were displaying the list of beneficiaries along with their name, address, other details and Aadhaar numbers for information of general public.”

Is there a way to prevent misuse of biometrics and Aadhaar data?   

Biometrics and their misuse is one of the biggest dangers that privacy activists highlight. A user cannot change their fingerprint or iris scan if this kind of sensitive data is stolen. However, the UIDAI website says Aadhaar users can lock their biometrics so as to prevent any kind of authentication.

The procedure to lock the biometrics, according to UIDAI, is this:

A person can go to http://resident.uidai.gov.in/biometric-lock and enter their Aadhaar ID; a security code appears on the screen and an OTP thereafter comes to their mobile number. Once logged in, just toggle on for lock biometric. Remember, if you do this you will not be able to use your fingerprint to authenticate any eKYC transaction that uses biometrics.

The mobile number has to be the one registered with UIDAI to get the OTP, else you will be unable to carry out this step. If you need to update your mobile number linked with Aadhaar, then you will have to go an Aadhaar centre with the required documents and proof for the same. This step cannot be carried out online.

For all the latest Technology News, download Indian Express App

  1. Balaji Natarajan
    Jan 4, 2018 at 9:10 pm
    Shoddy implementation and lack of controls is becoming hallmark of this govt. Indian bureaucrats have zero competency other than finding ways for underhand dealings or harassing citizens. No wonder the citizens have to protect themselves from govt and each other. Sorry plight of implementation. Demon/GST/Aadhar/black money witch hunt. Zero meritocracy or competence in selection of administrative cadre, either affirmative action or nepotism - leading to acche din requires more than a vision/slogan. Fire the MoF team as well as UIDAI. Will supreme court intervene or let judiciary be mocked as in 2G
    (13)(1)
    Reply
    1. Ashutosh V Divecha
      Jan 4, 2018 at 8:48 pm
      Somehow or the other someone is against AADHAR as it has considerably affected the modus ope i to loot the subsidies granted. Once it was said do not share your PAN No in railway ticket booking as it can be misused - but now GST Nos shows all PAN Nos. How can Aadhar No or stolen database like Name age address etc etc be misused by anyone ? One citizen and one identification - is a must for a clean Governance or otherwise general public will not know who how and when were beneficiaries of government grants schemes and subsidies.
      (1)(17)
      Reply
      1. smart india
        Jan 4, 2018 at 8:43 pm
        Current ruling party without basic infrastructure want implement like foreign country. unfortunately current ruling party leaders not much educated in technology (or forma education) and infrastructure with basic education missing many minsters they can not make good decision the people will feel pain.
        (18)(0)
        Reply
        1. Krishnan Srinivasan
          Jan 4, 2018 at 7:12 pm
          I urge the Supreme court dealing with Adhar -privacy-individuals fundamental rights, take a note on these type of occurrences and press reports.
          (10)(0)
          Reply