Aadhaar data breach: UIDAI refutes media reports, says biometric information safe and secure, no leakage occurred
Unique Identification Authority of India (UIDAI) on Thursday denied breach or leak of Aadhaar data after a newspaper reported it bought unrestricted access to the details of over one billion Aadhaar numbers -- for just Rs 500
New Delhi: Unique Identification Authority of India (UIDAI) on Thursday denied breach or leak of Aadhaar data after a newspaper reported it bought unrestricted access to the details of over one billion Aadhaar numbers -- for just Rs 500.
"The Aadhaar data, including biometric information, is fully safe and secure," the authority said in a statement, calling the report in The Tribune "a case of misreporting".
"UIDAI assures that there has not been any Aadhaar data breach," the statement said, adding that the data was secure with a "robust uncompromised security".
The authority said it had given search facility for the purpose of grievance redressal to designated personnel and state government officials to help residents only by entering their 12-digit Aadhaar numbers.
The grievance redressal search facility, the statement said, "gives only limited access to name and other details and has no access to biometric details".
It said the authority maintains complete log and traceability of its search facility and any misuse was traceable.
"The reported case appears to be instance of misuse of the grievance redressal search facility. As UIDAI maintains complete log and traceability of the facility, the legal action including lodging of FIR against the persons involved in the instant case is being done."
The Aadhaar database "remains fully safe and secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics".
It said 12-digit ID number was not secret and had to be shared with authorized agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare schemes.
"That does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat (and) will not lead to financial (or) other fraud, as for a successful authentication fingerprint or iris of individual is also required.
"Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. The UIDAI Data Centres are infrastructure of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions."
The Tribune report, which was widely shared on social media sites, claimed that it took just Rs 500 and 10 minutes for the newspaper to get an access through an "agent" to every detail of any individual submitted to the UIDAI, including name, address, postal code (PIN), photo, phone number and email.
Tribune’s Story “Rs 500, 10 minutes, and you have access to billion Aadhaar details” is a case of misreporting. No biometric data breach @thetribunechd @rsprasad @ceo_uidai @timesofindia @firstpost @IndiaToday @ZeeNews
— Aadhaar (@UIDAI) January 4, 2018
Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details @thetribunechd @rsprasad @ceo_uidai @timesofindia @firstpost @IndiaToday @ZeeNews @htTweets @TheQuint — Aadhaar (@UIDAI) January 4, 2018
There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometrics @thetribunechd @timesofindia @rsprasad @ceo_uidai @htTweets @ZeeNews @IndiaToday
— Aadhaar (@UIDAI) January 4, 2018
@UIDAI maintains complete log & traceability of the facility, any misuse is traceable. Legal action taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details @thetribunechd @rsprasad @ceo_uidai — Aadhaar (@UIDAI) January 4, 2018
The newspaper said it paid another Rs 300, for which the "agent" provided "software" to facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
The Tribune also claimed to have found in its investigation that the racket may have started around six months ago when some anonymous groups were created on WhatsApp.
These groups targeted over three lakh village-level enterprise operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.
CSCS operators were initially entrusted with the task of making Aadhaar cards across the country but were withdrawn later. The service was restricted to post offices and designated banks to avoid any security breach in November last year.
Subscribe to Moneycontrol Pro at ₹499 for the first year. Use code PRO499. Limited period offer. *T&C apply
Illegal agencies and operators will be blacklisted and get punishment for up to 3 years: UIDAI Chief
Pandey explained that the UIDAI first blacklists the operator and then prosecutes it by the Aadhaar Act.
This is yet another case of government agencies using Aadhaar as a verification system, and not taking enough measures to secure the database online
Aadhaar security breaches: Here are the major untoward incidents that have happened with Aadhaar and what was actually affected
Despite the number of reports over the last couple of years, UIDAI has maintained that the Aadhaar server and the biometric data is safe.