Aadhaar is a massive project by the Indian government to provide every resident with a 12-digit unique identity number attached to their biometric data. Hours after a news report on January 4 exposed how the Aadhaar-related demographic data of more than one billion Indian residents had been leaked, the Unique Identification Authority of India, which manages the Aadhaar database, responded that the “mere display” of this information could not “be misused without biometrics”.
“It is an incompetent claim that demographic data cannot be misused without biometrics,” he said. It can also act as fodder for groups indulging in financial frauds.” A cyber security expert and consultant to police departments in several states concurred. “If demographic data related to Aadhaar lands in the wrong hands, it can be a rich resource for spear phishing,” he said. “It is clear that the entire Aadhaar ecosystem, which deals with both demographic and biometric information, stands poor in terms of cyber security.
“Demographic data is largely private data and there is a tremendous amount of risk associated with the unauthorized access of such data,” he said. However, experts and lawyers say that the Unique Identification Authority of India’s response was an “incompetent claim”, which indicated that the body was not treating the security breach with the seriousness it warranted. This is a more targeted form of fraud than voice phishing in which criminals are usually working blind, without significant information about their potential victims.
We are talking about individuals who are not well aware in terms of digital literacy. Often, people have fallen for these cons because the callers had inquired about details that seemed totally unrelated to monetary transactions. “If demographic information of such a massive scale has been exposed, imagine the sample size of data that such criminals can [now] use to evaluate the behavior of their targets as part of the social engineering process,” said Chaudhary. “It is a goldmine for criminals, in both physical and virtual spaces, who can target any individual through such private data.” The availability of demographic data eventually leads to the violation of the right to privacy.