Indian government portal leaks 8.9mn Aadhaar details, again
- Two consecutive leaks from Kodali of Aadhaar numbers
- Posted leaked numbers on Twitter
- Database maybe secure but government portals need additional security
His earlier tweet shows how people’s Aadhar numbers are being to used to collate data on their location, religion, caste, phones numbers and bank account numbers.
Another day, yet another #Aadhaar data leak of 89,38,138 MNREGA workers. Website maintained by $100 billion company TCS along with another government department. Reported to security agencies. Question: where is the UIDAI bug reporting mechanism? pic.twitter.com/0L4K2YUyl1— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 26, 2018
The first leak by Kodali was from the Andhra Pradesh State Housing Corporation. It showed an even grimmer reality of how Aadhar numbers are being linked to caste, the type of house a person lives in and the extent of damage it has suffered.
It has always been said #Aadhaar is being linked to religion and caste information, apart from occupation. While UIDAI is not doing it, other government departments are. Here is proof that UIDAI has no idea what all is being linked to your unique id. Website reported early today. pic.twitter.com/3acEgcA1Qt— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018
Since then, he has reported the issue to the authorities, but his fear is that the surveys conducted in Andhra and Telangana have allowed citizens to carry phones and biometric readers, collecting private information on almost every individual.
The website which was leaking all the sensitive information today was of Andhra Pradesh State Housing Corporation. Here are two images with details one showing last four digits of #Aadhaar after fix & other masked by me showing first two. Around 1,34,193 Aadhaar numbers leaked pic.twitter.com/pr2RwO3C5f— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018
Not the first time
Most recently, Karan Saini, a security researcher, told ZDNet that
The affected endpoint was only pulled offline once the story had gone live.
The Tribune also looked into the Aadhaar database and found that they could attain all the details about a person by typing in the 12-digit unique identification number once they paid an agent ₹500 (approximately $8). For another ₹300 (approximately $5), that same individual could even print out a copy the Aadhaar card, which could then be used to access various government schemes.
Even the Android Aadhaar app was hacked by Robert Batiste, a french researcher, in under a minute.
That said, Aadhaar breaches haven’t been directly through the Aadhaar database, but through various government portals and third-parties. So, Ajay Bushan Pandey, CEO of UIDAI, wasn’t incorrect when he said that there have been no data leaks from the
How to bypass the password protection of the official #Aadhaar #android #app in 1 minute.— Baptiste Robert (@fs0c131y) March 13, 2018
For this attack, the attacker need a physical access to the phone, rooted phone is not needed and yes this is the latest version of the app.
cc @uidai @ceo_uidai pic.twitter.com/7aZ0fvr0Wv
The Aadhaar card system, in its usage, is more than just the database. There’s a wide ecosystem to be take in to account where security concerns are yet to be addressed. A secure database doesn’t necessarily imply security of information since so much of it exists outside the Aadhaar database itself.