What is Aadhaar?
Aadhaar is a massive project by the Indian government to provide every resident with a 12-digit unique identity number attached to their biometric data. This gargantuan project was taken to give each citizen an immutable record for identification, which can be used as official and legal proof for many government services. It is similar in nature to the Social Security Number (SSN) assigned to citizens in other countries.
The applicant’s picture with their essential details, along with the applicant’s biometrics are captured during the creation of the ID. This can be referenced and verified by the 12 digits unique number along with an OTP to the applicant’s contact number. This 2-step security was enforced as an additional measure of safety.
This unique id can be used to purchase a SIM card, open bank accounts, LPG gas connections, etc. Hence it was touted to be a one-for-all purpose government-issued ID-record, for all citizens of India – free of charge.
How big is the Aadhaar data breach?
A news report has exposed how the Aadhaar-related demographic data of more than a billion Indian residents had been leaked, the details available at mere INR500 (~7 USD). The UIDAI (Unique Identification Authority of India) which manages the Aadhaar database, responded that the “mere display” of this information could not “be misused without biometrics”.
Earlier, a similar breach risk in one of the Indian state government websites where Aadhaar data can be easily hacked into. This was tweeted by a researcher who tagged UIDAI in the same with proofs. We believe this was later fixed.
Hi @UIDAI and @ceo_uidai, let me show you one of the "unscrupulous elements". This governmental website is leaking 4769 files. In this open directory you can find biometric data, #Aadhaar card scans and more.https://t.co/RcoMlnD6jo pic.twitter.com/HugQ65MdYf— Elliot Alderson (@fs0c131y) March 14, 2018
This person who goes by the moniker “Elliot Alderson” on Twitter is Robert Baptiste, a French security researcher. His tweet caused ripples in the Indian governing administration and lead to a lot of improvements in securing sensitive data.
Why is this response of UIDAI causing concern?
“It is an incompetent claim that demographic data cannot be misused without biometrics,” he said. It can also act as fodder for groups indulging in financial frauds.” A cybersecurity expert and consultant to police departments in several states concurred. “If demographic data related to Aadhaar lands in the wrong hands, it can be a rich resource for spear phishing,” he said. “It is clear that the entire Aadhaar ecosystem, which deals with both demographic and biometric information, stands poor in terms of cybersecurity.
“Demographic data is largely private data and there is a tremendous amount of risk associated with the unauthorized access of such data,” he said. However, experts and lawyers say that the Unique Identification Authority of India’s response was an “incompetent claim”, which indicated that the body was not treating the security breach with the seriousness it warranted. This is a more targeted form of fraud than voice phishing in which criminals are usually working blind, without significant information about their potential victims.
So what to expect now as an Aadhaar cardholder?
We are talking about individuals who are not well aware in terms of digital literacy. Often, people have fallen for these cons because the callers had inquired about details that seemed unrelated to monetary transactions. “If demographic information of such a massive scale has been exposed, imagine the sample size of data that such criminals can [now] use to evaluate the behavior of their targets as part of the social engineering process,” said Chaudhary. “It is a goldmine for criminals, in both physical and virtual spaces, who can target any individual through such private data.” The availability of demographic data eventually leads to the violation of the right to privacy.
Hearing about these data breaches can be a worrying concern. Keep yourself and your loved ones safe on the Internet with these 5 quick and easy steps.