Unique Identification Authority of India (UIDAI) said on 4 January that its search facility for grievance redressal may have been misused but denied any breach or leak of Aadhaar data after a newspaper reported it bought unrestricted access to details of over one billion Aadhaar numbers, for just Rs 500 and in 10 minutes.
The authority that collects and maintains biometric and other details for the unique ID holders called The Tribune report "a case of misreporting". But the newspaper stood by its story, saying the UIDAI claiming no breach of Aadhaar data "flies in the face of that".
"UIDAI assures that there has not been any Aadhaar data breach... The Aadhaar data including biometric information is fully safe and secure," a UIDAI statement said, adding that the data was secure with a "robust uncompromised security".
The authority said it had given search facility for the purpose of grievance redressal to designated personnel and state government officials to help residents. The search facility, the statement said, "gives only limited access to the name and other details and has no access to biometric details.
"The reported case appears to be an instance of misuse of the grievance redressal search facility. As UIDAI maintains complete log and traceability of the facility, the legal action including lodging of FIR against the persons involved in the instant case is being done."
The Tribune report, widely shared on social media, claimed that it took just Rs 500 and 10 minutes for the newspaper to get access through an "agent" to every detail of an individual submitted to the UIDAI including name, address, postal code (PIN), photo, phone number and email.
The newspaper said it paid another Rs 300, for which the "agent" provided a software to facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
In its point-by-point response to UIDAI's denial, the newspaper said UIDAI's admission that the search facility on its website had been "misused" did not change the fact that the theft had taken place.
"Aadhaar data has been accessed by unauthorised people. The fact is that it has been misused to steal data, personal information such as name, date of birth, address, PIN, photo, phone number, e-mail, at will, for any Aadhaar number."
The UIDAI said an Aadhaar number was not a secret number and needed to be shared with authorised agencies to avail certain service or benefit of government welfare schemes or other services and the proper use of Aadhaar number posed no security and financial threat as for a successful authentication fingerprint or iris of an individual was required.
The newspaper said what it found in its investigation was that unauthorised persons have gained access to people's personal information. "The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand, at an unauthorised location, to print out Aadhaar cards. That is a partial breach of the biometric data too, even if biometric data was not downloaded."