India’s massive biometric ID card database has been hacked, yet again. This time (just as I predicted last year), the identities of over one billion Indian citizens have appeared for sale online. The latest hack was announced last Thursday by the Unique Identification Authority of India (UIDAI). It brings renewed vigor to criticisms surrounding the already controversial Aadhaar card system.
UIDAI has ordered a police investigation to find out exactly how a Tribune of India journalist was able to pay somebody on Whatsapp eight dollars to gain access to the Aadhaar database. Once inside the system, the journalist was able to access the names, addresses, photos, phone numbers – and other personally identifiable data – of over one billion citizens.
According to the agency, the gateway into the Aadhaar system was created by using a grievance-redressal search facility. Despite the staggering size of the breach, UIDAI has gone on the record to assure the public that the Aadhaar database remains secure:
“The Aadhaar data, including biometric information, is fully safe.”
That claim seems ludicrous considering the number of times that the Aadhaar database has been hacked since it was introduced. On this occasion, it took just Rs 500 (around eight dollars) paid through Paytm – and a short 10-minute wait – for the Tribune journalist to be given a working login ID and password. After that, the journalist was able to access personal data attached to the Aadhaar ID numbers of over 1 billion Indian citizens.
According to the Tribune journalist, for just five dollars more he could have purchased the software needed to create fake Aadhaar cards. In India, those cards are now needed as a form of ID in order to perform regular daily tasks. These include paying taxes, getting bank accounts, purchasing travel tickets, enrolling in schools, getting a mortgage, applying for and getting state benefits, and even receiving free gas in rural areas (using the Ujjwala’ welfare program).
Ever Growing Problem
Since its inception in 2009, the Aadhaar database has accumulated the details of 1.2 billion Indian citizens. Included in those details are personally identifiable biometric details such as fingerprints and iris scans. Fortunately, it is believed that on this occasion entry to the database did not grant the journalist access to any biometrics.
Kiran Jonnalagadda, co-founder of the Internet Freedom Foundation, is a huge critic of India’s invasive database. He has come forward to express his disbelief at the scale of the incident:
“I’m not surprised by the breach, but I’m surprised at how widespread the access was.”
India’s Government, the Bharatiya Janata Party, has gone on the record to reinforce the UIDAI position that access to the database was caused by misuse of the program’s grievance redressal system. According to the government, all reports of hackers causing a “breach” are “fake news”.
Despite that official statement, the reality is that unwanted people are currently using weaknesses and flaws in the database to gain access to sensitive information. The ability to access private details pertaining to so many citizens is a huge risk, which could easily lead to identity fraud.
What’s more, this isn’t the first time that the Aadhaar system has been breached. Last July, government agencies accidentally published sensitive Aadhaar data online. Earlier in 2017, sensitive Aadhaar information about 600,000 Indian children also accidentally made its way online.
Unbelievably, this Whatsapp story came to light on the same day as another critical flaw in the Aadhaar system was disclosed. According to a secondary Indian news outlet, a loophole permits anybody to gain administrator privileges in the database. Even worse, according to that report, once inside the system the “administrator” can grant further access to anyone else.
Within hours of the two reports surfacing, the portal for accessing the Aadhaar database (http://portal.uidai.gov.in/) was down. According to The Quint’s report, it is impossible to say how many people have been granted administrator rights. However, according to the article entry to the system has been sold “from anything between Rs 500 to Rs 6,000, and possibly even higher”.
Once inside the system, all the unauthorized admin needs to do is “replace the 12-digit Aadhaar number with the Aadhaar number of anyone in the country.” Doing so provides the unauthorized person with the citizen’s name, parents’ names, phone number, full postal address, email address, date of birth, gender, local language, and a photo.
Millions of Datasets Leaked
Although it was first introduced back in 2009, it wasn’t until 2016 that the government suddenly started a concerted effort to get as many citizens signed up for an Aadhaar card as possible. At that time, the Aadhaar (Targeted Delivery of Financial and other Subsidies, benefits and services) Act gave the UIDAI the right to collect and store all Indian citizens’ data.
Since then the Aadhaar database, which allocates every Indian citizen a unique 12 digit code, has been growing at an alarming rate. Cybersecurity experts and privacy advocacy groups have often warned that the database is vulnerable to attack. The problem with this kind of database is that it is open to abuse, mismanagement, and hacking. Sadly, evidence to prove critics right has been coming regularly since the new act was passed.
Last summer, the Indian telecommunications firm, Reliance Jio, accidentally leaked 120 million people’s data online. In September, Airtel was found to be using Aadhaar data to automatically sign up citizens for an Airtel payments account without their authorization. According to the report, $30 million worth of Ujjwala cooking gas subsidies were illegally transferred into those Airtel accounts as a result.
Despite these cases of leaks, hacking, and misuse, the Indian government intends to keep rolling out the Aadhaar system. It also intends to increase its use to include catching welfare cheats and criminals. The government plans to achieve this by integrating Aadhaar with the Crime and Criminal Tracking Network Systems. As such, despite last August’s judgment by the Supreme Court of India (SCI) – that privacy is a fundamental right – it seems that previous claims about Aadhaar being “too big to fail” are true and Aadhaar is here to stay.
Opinions are the writer’ own
Title image credit: John Kehly/Shutterstock.com
Image credits: Zbitnev/Shutterstock.com, Marco Saroldi/Shutterstock.com