Aadhaar Security Fail
India's Aadhaar biometric database contains the records of over 1.1 billion Indians. Given the scale of this database, the breaches and leaks of personal data have also been massive. Potentially every single one of the 1.1 billion people enrolled in Aadhaar could have been affected by multiple breaches and leaks. Similarly, we have seen cases where it's possible to add additional, fake records to the database. The UIDAI - the authority that runs the Aadhaar scheme and the database - claim that, in actual fact, the central database has never been breached. However, there have been numerous examples of ways in which the data held by the UIDAI has leaked: through faulty access-points by third parties, or by usuing patched enrollment software. Many of these are linked to decisions made in the design of the system, including the design of enrollment and the push to encourage its use across the public and private sectors.
Tools to access the entire database were circulating in WhatsApp groups for as little as 500 rupees (USD7). This has left millions of Indians open to a broad range of frauds: given the ubiquity of the use of Aadhaar in the public and private sector, the possibilities of abuse are growing. But it also has an effect on vulnerable people in society as well, with the fear that their personal details will be breached has led people to avoid seeking treatment for HIV/AIDS, for instance.
-
There has been the spread of the linking of the patient identity cards of HIV positive patients, pushed for by the National Aids Control Organisation. While it is not compulsory, in November 2017 it was reported that some patients reported that they were denied treatment until they gave their
-
In December 2017, it was revealed that the large telco Bharti Airtel made use of Aadhaar-linked eKYC (electronic Know Your Customer) to open bank accounts for their customers without their knowledge or consent. eKYC is a way of using data in the UIDAI database as part of the verification process
-
In January 2018, journalists found that, for 500 rupees (around $7USD), they were able to buy on WhatsApp access to a gateway that allowed them to access the personal details connected to any of the entries on the Aadhaar database - by entering any Aadhaar number, they could see details like the
-
In March 2018, a security researcher discovered that the state-owned utility company Indane had access to the Aadhaar database via an API, but they did not secure this way of entry. As a result, anybody was able to use this service to access details on the Aadhaar database about any Aadhaar number
-
In September 2018, a software patch was found by journalists to be widely available, that disabled or weakened the security features in the software used to enroll people on the Aadhaar databse, potentially from anywhere in the world. The patch was reportedly widely-available in WhatsApp groups