Aadhaar card
Creative Commons

The Unique Identification Authority of India (UIDAI), the statutory authority under the provision of Aadhaar Act 2016, has started investigation into the claims that its database is vulnerable and identity details of any details of more than a billion citizens could be accessed for just Rs 500, Business Standard reported. 

The Tribune on Thursday reported that the newspaper could access Aadhaar database and was able to buy login credentials to the UIDAI database. A detailed investigation done by the daily revealed that with just Rs 500, information such as the names, telephone numbers and addresses of millions of people could be bought. 

The newspaper claimed that it bought the Aadhaar details from someone who is running a WhatsApp group.

"Legal action, including lodging of FIR against the persons involved in the case, is being pursued," BS reported quoting UIDAI. However, the authority said that there had not been any breach of the biometric database.

Authority further said, "The case appeared to be an instance of misuse of the grievance redress search facility."

The authority said that it maintained a "complete log and traceability of the facility and any misuse can be traced and appropriate action taken."

"The Aadhaar number is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar-holder wishes to avail of certain services. But that does not mean that the proper use of the Aadhaar number poses a security or financial threat," UIDAI claimed.

The authority explained that it had provided special access to some senior designated personnel, who can get limited access to names and other details of individuals by entering the Aadhaar number. But they cannot access the biometric details.

The report had also stated that around 100,000 village-level entrepreneurs might have gained access to the UIDAI database.

Even after the investigation done by the daily and also providing chilling evidences of data breach, the Aadhaar issuing authority denied data breach.

In a counter argument, the authority said that a mere display of demographic information could not be misused without biometrics.