The government is on a widespread mission for digitizing the country. The most prominent topic in digitization is the Aadhaar identification which is becoming mandatory for almost every service in the country. Aadhaar takes the most sensitive and important identity to a person, their biometric data. The UIDAI has repeatedly stressed that its system is hack-proof and data cannot be leaked. However, other websites and services using Aadhaar have been known to leak public data online. A new research now reveals that four government databases may have revealed around 135 million Aadhaar numbers online.
The research was conducted by The Centre for Internet & Society (CIS) and the report is titled “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information”. The report authored by Amber Sinha and Srinivas Kodali found that there were various instances of publically available Aadhaar numbers and their personally identifiable information (PII) of individuals on government websites. The research focuses on four government projects which have publically available Aadhaar numbers and financial data. These projects include the National Social Assistance Program and the National Rural Employment Guarantee Act (NREGA) by the Ministry of Rural Development. The other two are the Daily Online Payment Reports under NREGA and the Chandranna Bima Scheme by the Government of Andhra Pradesh.
According to the research, around 130 to 135 million Aadhaar numbers have been leaked through the four government portals and around 100 million number of bank accounts leaked from other portals. The National Social Assistance Program includes sensitive information of pensioners like Job card number, bank account number, Aadhaar number, and account frozen status. The research revealed that although the details of the pensioners were not publically available, anyone with the login access could get their hands on it. The National Rural Employment Guarantee Scheme has MIS reports on the workers listed and after thorough research, it was discovered that PII like job card number, Aadhaar number, bank and postal account number, the number of days worked, registration number, account frozen status were all available publically. ALSO READ: Aadhaar ecosystem needs more privacy, data protection: Cyber experts
The Chandranna Bima Scheme which provides aid to families of unorganized workers in case of fatalities also had PII of these workers available for public usage. The PII that was available included a host of information from Aadhaar number, mobile number, partially masked bank account number along with the IFSC code and the bank’s name. Lastly, the Daily Online Payment Reports which keeps a track of NREGA work and payments had very sensitive details publically available. These included the Aadhaar number, bank and postal account number with mobile number, details on e-pay order, time and date of disbursement, pay order amount and also the mode of payment. ALSO READ: UIDAI files FIRs against 8 websites for illegally collecting Aadhaar number
The report further states how the UIDAI has been irresponsible on their part to ensure that Aadhaar information remains safe in other services linked to it. As aforementioned, it is the government portals and services which are linked with Aadhaar, that have been careless and vulnerable to making sensitive information public. In a recent case, the Jharkhand Directorate of Social Security revealed personal identities of over a million citizens who were beneficiaries of the state’s old-age pension scheme. The Jharkhand government was clueless as to how the data was leaked, which shows that there is still no strict measure taken to ensure security. ALSO READ: Aadhaar details of over 1.4 million citizens leaked by Jharkhand govt website: Report