Aadhaar, banking data leaked? UIDAI trashes reports: Top 10 developments

Photo: Shutterstock
The Unique Identification Authority of India (UIDAI), the nodal agency for implementing the Aadhaar project in India, on Saturday refuted a report by technology news platform ZDNet which claimed that Aadhaar had been hit by another major security lapse. The report, coming days after UIDAI told the Supreme Court that it would take even the world's fastest computer "the whole universe's strength to break the Aadhaar encryption", claimed thet private information of a large number of citizens had been compromised.

According to the ZDNet report, an Aadhaar data leak on a system run by a state-owned utility company could allow access to private information of Aadhaar holders, exposing their names, their 12-digit unique identity numbers, and their bank details.

“This is a security lapse. You don’t have to be a consumer to access these details. You just need the Uniform Resource Locator where the Application Programming Interface is located. These can be found in less than 20 minutes,” Karan Saini, a Delhi-based security researcher told Reuters.

UIDAI, however, refuted the claim and advised people not to be misled by such reports.

"There is no truth in this story as there has been absolutely no breach of UIDAI's Aadhaar database. Aadhaar remains safe and secure," the statement issued by UIDAI read.

Here are the top 10 developments around Aadhaar security and a string of alleged data breaches:

1. UIDAI refutes report of Aadhaar database breach: Terming the Aadhaar database breach report as "baseless, false and irresponsible," UIDAI advised people not to be misled by such reports.

A statement released by the Authority said there was no breach of Aadhaar database and it remains safe and secure.

It said in a series of tweets on its official handle: "We refute the reports in a certain section of media sourced from ZDNet which quote a person purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access huge amount of Aadhaar data including banking details. There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure. The story is totally baseless, false & irresponsible. It purports that the database of a state Utility company containing its customer details such as bank account numbers, consumer number, Aadhaar number (not the biometrics), etc., has vulnerability. Even if the claim purported in the story were taken as true, it would raise security concerns on database of that Utility Company and has nothing to do with security of UIDAI’s Aadhaar database."

"If one goes by the logic of ZDNet’s story,  since the Utility company’s database also had bank account numbers of  its customers, so would that mean that all Indian banks’ databases have been breached? The answer would obviously be in negative. Further, one must understand that the Aadhaar number, though a personal sensitive information, is not a secret number. Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any  transaction, a successful authentication through fingerprint, Iris or OTP of  the Aadhaar holder is required. We advise people not to get misled by such false and irresponsible stories being circulated in social and other media by some vested interests," UIDAI added.

 

We refute the reports in a certain section of media sourced from ZDNet which quote a person purportedly claiming to be a security researcher that a state-owned utility company has vulnerability which can be used to access huge amount of Aadhaar data including banking details. 1/8

— Aadhaar (@UIDAI) March 24, 2018

There is no truth in this story as there has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure. 2/8

— Aadhaar (@UIDAI) March 24, 2018

The story is totally baseless, false & irresponsible. It purports that the database of a state Utility company containing its customer details such as bank account numbers, consumer number, Aadhaar number (not the biometrics), etc., has vulnerability. 3/8

— Aadhaar (@UIDAI) March 24, 2018

Even if the claim purported in the story were taken as true, it would raise security concerns on database of that Utility Company and has nothing to do with security of UIDAI’s Aadhaar database. 4/8

— Aadhaar (@UIDAI) March 24, 2018

If one goes by the logic of ZDNet’s story, since the Utility company’s database also had bank account numbers of its customers, so would that mean that all Indian banks’ databases have been breached? The answer would obviously be in negative.5/8

— Aadhaar (@UIDAI) March 24, 2018

Further, one must understand that the Aadhaar number, though a personal sensitive information, is not a secret number. 6/8

— Aadhaar (@UIDAI) March 24, 2018

Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any transaction, a successful authentication through fingerprint, Iris or OTP of the Aadhaar holder is required.7/8

— Aadhaar (@UIDAI) March 24, 2018

We advise people not to get misled by such false and irresponsible stories being circulated in social and other media by some vested interests. 8/8

— Aadhaar (@UIDAI) March 24, 2018
2. ZDNet report raised concern on database of utility company not Aadhaar, says UIDAI: In its statement, UIDAI said that even if the claimed purported in the story were taken as true, it would raise security concerns on the database of that utility company and had nothing to do with security of UIDAI's Aadhaar database.

Also, the fact that the utility company had bank account numbers of its customers did not imply that all Indian banks' databases had been breached, UIDAI clarified.

3. Report claims major security lapse in Aadhaar: A media report on Saturday stated that Aadhaar has been hit by another major security lapse. The report said that a data leak on a system run by a state-owned utility company can allow access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details.

4. ‘Universe's strength needed to break Aadhaar encryption’: In a first-ever powerpoint presentation in open court, Ajay Bhushan Pandey, the Chief Executive Officer of UIDAI told the Supreme Court on Thursday that it would take the world’s fastest computer “the whole universe’s strength to break the Aadhaar encryption system”.

Noting that data matching software has been bought from the world's three best companies and stored on UIDAI's 6,000 servers, Pandey had said that these are not linked to the internet to eliminate the possibility of any backdoor access to the data.

5. 'UIDAI is blind': Reverting to the question of intrusion in the privacy of Aadhaar users, Pandey said the UIDAI is "blind" and does not keep track of any transaction done by using the Aadhaar card. "If somebody opens a bank account or gets a mobile phone by using the Aadhaar, the UIDAI cannot know the account details or the phone number," he had said.

Once the enrolment agency submits the biometric details after enrolment, the data is encrypted and deposited at the Central Identities Data Repository (CIDR), Pandey explained.

6. ‘No one will suffer loss of benefits’: Pandey had further said the UIDAI has no data about persons who have been denied benefits for want of Aadhaar or due to lack of authentication. He was reponding to the top court's query that whether there was any official data on how many persons have been denied benefits either due to want of Aadhaar or due to failure of their authentication.

"We had no means to know as to how many persons have been denied benefits... Is there any official data on denial of services," the bench had said.

Pointing to the "exception handling mechanism" in the UIDAI system, Pandey had said that "no one will suffer the loss of benefits for the lack of Aadhaar" as the bench pointed to illiterate, the poor and tribals who may not be aware that over time their biometrics have undergone changes and must be updated.

7. Why are some denied ration despite having Aadhaar? One of the judges hearing the matter, Justice Sikri had asked Pandey as to what happens if a person goes to a ration shop and even though his biometric details match, he is refused goods which are later drawn by the shop owner in an unauthorised manner.

Pandey couldn’t answer that question and just said, "It has to be handled at a different level.”

8. On Jharkand woman's death over ration: Responding to the Supreme Court's question on the death of a woman in Jharkhand after she was denied ration for want of Aadhaar authentication, the CEO had said he was aware of the case and it was not the case of failure of authentication. The authentication was done and Aadhaar details matched, it was a case of dishonesty on part of the shopkeeper of the fair price shop.

It was the "failure of honesty" and not the failure of Aadhaar, Additional Solicitor General Tushar Mehta, who represents UIDAI, had said.

9. ‘Face ID’ from July 1: Pandey also said that UIDAI would introduce ‘face ID’ on July 1 to enable Aadhaar holders to authenticate their identity to access services, benefits and subsidies. Aadhaar would include the face besides the fingerprints and iris for authentication. The facial identification would help people without biometrics or those with poor biometrics to avoid authentication failures and financial exclusion.

Pandey had said that people suffering from leprosy or others who don't have biometric details would get Aadhaar on the basis of their facial scan or their registered mobile number, which would operate on one-time password system.

10. UIDAI mum on virtual ID: The UIDAI however remained silent on the roll-out of the virtual ID, a 16-digit number generated randomly by the Aadhaar system. UIDAI was supposed to introduce the virtual ID by UIDAI by March 1 and deployed by companies using Aadhaar by June 1. 

“The UIDAI will be releasing necessary APIs (application programming interface) with implementation by March 1, 2018,” the circular had said. It said that all authorities should migrate to the new system by June 1, 2018, after which their authentication services could be discontinued and financial disincentives may be imposed.

The authority had also announced the launch of limited Know Your Customers (KYC) norms, which allow the UIDAI to restrict information flow to private companies and only the required information about a citizen instead of the complete demographic profile is shared.