"UIDAI has a well-designed, multi-layer approach, robust security system in place and the same is being constantly upgraded to maintain the highest level of data security and integrity," the Unique Identification Authority of India (UIDAI) said in an assurance statement last November, but an investigation led by the Tribune contradicts every aspect of that statement.
In a shocking revelation on Wednesday, the publication revealed it took just Rs 500 and 10 minutes to gain unfettered access to details of more than 1 billion Aadhaar numbers in India. A group tapping UIDAI data granted access to a portal that stored an individual's name, address, postal code (PIN), photo, phone number and email. All this for mere Rs 500, which was paid to the "agent" through Paytm.
But the Tribune didn't rest at that. On being given another Rs 300, the agent remotely installed a software that facilitated printing of Aadhaar cards after fetching the details of any individual, indicating that the level of the breach was alarming.
"Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach," Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh, told the Tribune.
UIDAI has denied the report, titled — "Rs 500, 10 minutes, and you have access to billion Aadhaar details" — calling it "a case of misreporting." It has laso assured that "there has not been any Aadhaar data breach & that the data is fully safe & secure."
However, UIDAI also notes that it has taken legal action against those who "misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrolment slip to retrieve their details."
Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details @thetribunechd @rsprasad @ceo_uidai @timesofindia @firstpost @IndiaToday @ZeeNews @htTweets @TheQuint— Aadhaar (@UIDAI) January 4, 2018
@UIDAI maintains complete log & traceability of the facility, any misuse is traceable. Legal action taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details @thetribunechd @rsprasad @ceo_uidai— Aadhaar (@UIDAI) January 4, 2018
There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometrics @thetribunechd @timesofindia @rsprasad @ceo_uidai @htTweets @ZeeNews @IndiaToday— Aadhaar (@UIDAI) January 4, 2018
Such reports raise a red flag and don't bode well for the government, which has been pushing people to link their Aadhaar to all major nationalised services, including bank accounts. The news comes close on the heels of a recent arrest in Jalandhar where a man withdrew money for someone's bank account by submitting a fake Aadhaar card. But UIDAI's denial changes that.
"Leakage of Aadhaar data reveals that the project has failed the privacy test. The revelation by The Tribune also means that the proposed data protection law will now hold no purpose, as the data has already been breached. The state governments must immediately disassociate themselves and cancel the MoU signed with UIDAI," said Gopal Krishan, New Delhi-based convenor of the Citizens Forum for Civil Liberties.
As per the Tribune's investigation, the data-tapping had started six months ago. The data-tapping groups targeted village-level enterprise (VLE) operators, who were initially tasked to make Aadhaar cards across India but rendered idle after the service was restricted to select banks and post offices.
The report also said over 1 lakh VLEs are now suspected to have gained access to UIDAI data to provide an illegal gateway to common people to make a quick buck.
Last November, the government found itself in hot water after more than 200 central and state government websites publicly displayed such as names and addresses of some Aadhaar beneficiaries.
The Supreme Court has currently extended the deadline for linking Aadhaar to these services till March 31, 2018.