Indian government portal leaks 8.9mn Aadhaar details, again

• Two consecutive leaks from Kodali of Aadhaar numbers
• Posted leaked numbers on Twitter
• Database maybe secure but government portals need additional security

Two new cases have come to light with a total of 8.9 million Aadhaar numbers of MGNREGA beneficiaries leaked through the Andhra Pradesh Benefit Disbursement Portal. The details were spotted by Srinivas Kodali, also known as @digitaldutta, who published screenshots on Twitter.

Another day, yet another #Aadhaar data leak of 89,38,138 MNREGA workers. Website maintained by $100 billion company TCS along with another government department. Reported to security agencies. Question: where is the UIDAI bug reporting mechanism? pic.twitter.com/0L4K2YUyl1

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 26, 2018

His earlier tweet shows how people’s Aadhar numbers are being to used to collate data on their location, religion, caste, phones numbers and bank account numbers.

It has always been said #Aadhaar is being linked to religion and caste information, apart from occupation. While UIDAI is not doing it, other government departments are. Here is proof that UIDAI has no idea what all is being linked to your unique id. Website reported early today. pic.twitter.com/3acEgcA1Qt

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018

The first leak by Kodali was from the Andhra Pradesh State Housing Corporation. It showed an even grimmer reality of how Aadhar numbers are being linked to caste, the type of house a person lives in and the extent of damage it has suffered.

The website which was leaking all the sensitive information today was of Andhra Pradesh State Housing Corporation. Here are two images with details one showing last four digits of #Aadhaar after fix & other masked by me showing first two. Around 1,34,193 Aadhaar numbers leaked pic.twitter.com/pr2RwO3C5f

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018

Since then, he has reported the issue to the authorities, but his fear is that the surveys conducted in Andhra and Telangana have allowed citizens to carry phones and biometric readers, collecting private information on almost every individual.

Not the first time

Most recently, Karan Saini, a security researcher, told ZDNet that Aadhaar card information could be obtained through Indane’s system, a state-owned utility company. According to them, they tried to contact the authorities for over a month through several avenues but to no avail.

The affected endpoint was only pulled offline once the story had gone live.

The Tribune also looked into the Aadhaar database and found that they could attain all the details about a person by typing in the 12-digit unique identification number once they paid an agent ₹500 (approximately $8). For another ₹300 (approximately $5), that same individual could even print out a copy the Aadhaar card, which could then be used to access various government schemes.

Even the Android Aadhaar app was hacked by Robert Batiste, a french researcher, in under a minute.

How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv

— Baptiste Robert (@fs0c131y) March 13, 2018

That said, Aadhaar breaches haven’t been directly through the Aadhaar database, but through various government portals and third-parties. So, Ajay Bushan Pandey, CEO of UIDAI, wasn’t incorrect when he said that there have been no data leaks from the UIDAI database.

The Aadhaar card system, in its usage, is more than just the database. There’s a wide ecosystem to be take in to account where security concerns are yet to be addressed. A secure database doesn’t necessarily imply security of information since so much of it exists outside the Aadhaar database itself.