The 12-digit Aadhaar number issued by Unique Identification Authority of India (UIDAI) continues to remain the most controversial scheme in the country. Since the government started mandating it for key services like SIM card and bank accounts, there have been a number of data breach that have ended exposing Aadhaar details of normal Indians.
Now, the Aadhaar number of citizens have leaked twice in a span of just two days, raising further concerns about the security. An independent researcher has exposed two cases of Aadhaar numbers of innocent citizens being revealed the Andhra Pradesh government. Aadhaar whistleblower Srinivas Kodali tweeted screenshots that suggest the 12-digit number issued by UIDAI of 89,38,138 MNREGA (Mahatma Gandhi National Rural Employment Guarantee Act) beneficiaries had been compromised on the website of the Andhra Pradesh Benefit Disbursement Portal.
Another day, yet another #Aadhaar data leak of 89,38,138 MNREGA workers. Website maintained by $100 billion company TCS along with another government department. Reported to security agencies. Question: where is the UIDAI bug reporting mechanism? pic.twitter.com/0L4K2YUyl1
— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 26, 2018
“Website maintained by $100 billion company TCS along with another government department. Reported to security agencies. Question: where is the UIDAI bug reporting mechanism?” Srinivas tweeted.
Srinivas also questioned the inability of UIDAI to create a proper mechanism to report bugs on the platform. “When a bug is reported, there is no proper mechanism in place to acknowledge the mistake. What are they doing about it? Until they change this, these leaks will continue to happen,” he told TNM.
After Srinivas tweeted about Aadhaar data breach, the portal began masking the 12-digit numbers of all those 89 lakh MNREGA beneficiaries. While it is not a data breach in technical terms, it raises questions on how government websites and authorities handle the Aadhaar data entrusted to them by citizens. Since the backend of Aadhaar is powered by a company like TCS, it also raises questions like whether these engineers are building systems with little sandboxing and data privacy in mind.
The Aadhaar data exposure by AP government website came just a day after the data of 1.34 lakh citizens in the state was found to have been compromised. The data leak revealed their 12-digit Aadhaar number along with their religion, caste and bank details. The leak was part of a list titled ‘Beneficiary Details belonging to Entry Report for Scheme Hudhud’ and were available on the website of the Andhra Pradesh State Housing Corporation.
Watch: Huawei P20 Pro Video Review
According to TNM, the list clearly showed the name of the person’s father, address, panchayat, mobile number, ration card number, occupation, religion, caste, Aadhaar number alongside information like bank branch, IFSC code and account number. The data exposed by the Andhra Pradesh State Housing Corporation was in conflict with the Unique Identification Authority of India’s (UIDAI) data policy, where it claims that it does not link any of these details with the Aadhaar number of citizens. The government maintains its stand that Aadhaar is being secured using the highest security standards.