NEW DELHI, March 24
India's biometric ID programme, Aadhaar, has been hit by another major security lapse, allowing access to private information, business technology news website ZDNet reported on Saturday.
A data leak on a system run by a state-owned utility company can allow access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details, ZDNet said.
Even though the security lapse had been flagged to some government agencies over a period of time, it has yet to be fixed. ZDNet said it was withholding the name of the utility and other details.
Karan Saini, a New Delhi-based security researcher, said that anyone with an Aadhaar number was affected.
"This is a security lapse. You don't have to be a consumer to access these details. You just need the Uniform Resource Locator where the Application Programming Interface is located.
These can be found in less than 20 minutes," Saini told Reuters.
UIDAI response
UIDAI denied there was any leak.
“We refute the reports in a certain section of media sourced from ZDNet which quote a person purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access huge amount of Aadhaar data including banking details,” the agency said in a tweet on Saturday evening.
“There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure.”
Aadhaar, a biometric identification card with over 1.1 billion users, is the world's biggest database.
But it has been facing increased scrutiny over privacy concerns following several instances of breaches and misuse.
Last Thursday, the CEO of the UIDAI said the biometric data attached to each Aadhaar was safe from hacking as the storage facility was not connected to the internet.
"Each Aadhaar biometric is encrypted by a 2048-key combination and to decode it, the best and fastest computer of our era will take the age of the universe just to hack into one card's biometric details," Ajay Bhushan Pandey said. Reuters
There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure. 2/8
— Aadhaar (@UIDAI) March 24, 2018
Even if the claim purported in the story were taken as true, it would raise security concerns on database of that Utility Company and has nothing to do with security of UIDAI’s Aadhaar database. 4/8
— Aadhaar (@UIDAI) March 24, 2018
If one goes by the logic of ZDNet’s story, since the Utility company’s database also had bank account numbers of its customers, so would that mean that all Indian banks’ databases have been breached? The answer would obviously be in negative.5/8
— Aadhaar (@UIDAI) March 24, 2018
Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any transaction, a successful authentication through fingerprint, Iris or OTP of the Aadhaar holder is required.7/8
— Aadhaar (@UIDAI) March 24, 2018
We advise people not to get misled by such false and irresponsible stories being circulated in social and other media by some vested interests. 8/8
— Aadhaar (@UIDAI) March 24, 2018