As data security, cybersecurity and user data privacy take centre stage of discussion, a new report has emerged detailing a major data leak in Aadhaar database.
This new breach was reported by reputable business technology website ZDNet informing about the extent of the breach.
The security breach
According to the report, A security researcher from New Delhi, Karan Saini found out that one of the state-owned utility company is responsible for the breach. Here utility company here could refer to a company providing electricity, natural gas (CNG) or water. The company uses Aadhaar to verify the identity and status of the customer. The report has not revealed the name or the website of the company responsible because the security vulnerability still remains unfixed.
The data breach allows anyone with the technical know-how “to download private information on all Aadhaar holders”. Anyone who knows what they are doing can access the full name, consumer number used by the utility company, and connected bank accounts that the Aadhaar holder is using. Aadhaar holders don’t really have to be using the utility services from the company in question. One thing to note here is that the report clarifies that the breach does not affect the biometric data present in the database.
The associated banking information is in direct contradiction to the claims by UIDAI and Union minister Ravi Shankar Prasad that Aadhaar does not have any information on bank accounts.
Cause of the leak
This information can easily be used by cybercriminals for impersonation or identity theft as pointed by the report. The main problem of the issue in an unsecured API (application programming interface) endpoint. To simplify, computer developers use APIs to access to functions or to data given by any other application, system or database, in this case, Aadhaar. What is troubling is that there are no access controls and the Aadhaar database access token is hardcoded at the endpoint and then any developer with the skill can use it to query Aadhaar numbers against the database without any security verification.
The API to access Aadhaar database in question does not have “any rate limiting in place”. What it means that there is no limit on the number of requests that can be sent to the database in a particular time frame. This means that anyone with the intent to gather data can make a tool to use a permutation of every possible number in the Aadhaar number series to automatically sent requests and collect data. This way, they can have access to “potentially trillions” of Aadhaar numbers and details corresponding to the number with each successful hit. All this can be done using just one computer so one does not really need a supercomputer to pull this off.
API is not only pulling the data from one particular set of database, instead, it is pulling data from a database that is continuously being updated. To explain the situation, Saini added in the report, “From the requests that were sent to check for a rate-limiting issue and determine the possibility of stumbling across valid Aadhaar numbers, I have found that this information is not retrieved from a static database or a one-off data grab, but is clearly being updated - from as early as 2014 to mid 2017. I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone's information is available, with no authentication.”
To make it easier for users to understand, let us illustrate the situation with an example. Aadhaar has given an API access to ‘Company ABC’ so that the company can confirm the identity of its users. ‘API access’ is the official pathway for the company to facilitate the process of confirming the identity of the users using the Aadhaar database. But in this case, the company has not secured the infrastructure that it uses to check the identity of its users allowing anyone to access the pathway and collect Aadhaar data.
Lack of response
The most concerning part of the report is how ZDNet tried to reach out to Indian authorities for more than a month “but nobody responded”. The reporters later contacted the Indian Consulate in New York and alerted them of the breach. They spent over two weeks to explain the issue in detail while responding to follow up questions. The third week passed and the issue was still not fixed. The reporters emailed the Consulate about publishing the story but there was no response to the email. The affected system is still online and vulnerable at the time of writing.
This comes days after Unique Identification Authority of India (UIDAI) CEO Ajay Pandey presented a PowerPoint presentation in front of Supreme Court of India to defend the Aadhaar scheme. This is not the only time when the security of the database has been questioned. Instead, the security provisions have been under scanner since the beginning of the inception of the program. Earlier this year, an in-depth investigation by The Tribune where anyone could buy Aadhaar information for Rs 500 and 10 minutes was discarded by the government of India as ‘fake news’. The last thing to note here is that there is a hearing going on in the Supreme Court about the legality of Aadhaar scheme in India.