9 JAN 2018
A vast majority of Indian citizens—more than a billion people—are potentially affected by the exposure of the country’s biometric database.
An Indian newspaper reporter uncovered the issue as part of an investigative effort into the security of the Unique Identification Authority of India (UIDAI), which serves as the issuing authority for Aadhaar cards. These voluntary cards have a 12-digit unique identification number, strengthened by a fingerprint and iris scan of the recipient. The cards are used for authentication with several state-owned entities and departments, including those responsible for subsidies and the national health service, as well as public sector banks and other organizations, such as the Life Insurance Corporation of India. UIDAI has repeatedly touted the security of the system.
During the course of the investigation, The Tribune of India was able to obtain administrator-level credentials for accessing the entirety of the database for just $8.
“[We] ‘purchased’ a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far,” the paper explained. “It took just Rs 500 [around $8], paid through Paytm, and 10 minutes in which an ‘agent’ of the group running the racket created a ‘gateway’ for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI…, including name, address, postal code (PIN), photo, phone number and email.”
The Tribune team also paid an additional $5 to gain access to the ability to print facsimiles of specific Aadhaar cards, after entering the Aadhaar number of any individual.
UIDAI publicly downplayed the issue, saying it contained “mere demographic” details—and no biometric data—so the fake cards would be of limited use in most cases.