Days after govt defends system security in Supreme Court, Aadhaar gets hit by new data leak

Just a couple of days after Unique Identification Authority of India (UIDAI) CEO Ajay Bhushan Pandey defended Aadhaar’s security in SUpreme Court, a report surfaced, claiming that the system has been hit by a new data leak. 

According to the report published in the ZDNet, a Delhi based security researcher has told the publication that a data leak on a system run by a state-owned utility company could allow anyone to download private information on all Aadhaar holders.

The report claimed that the hackers could get access to Aadhaar holders' names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details along with other private information.

ZDNet said that it had spent more than a month trying to contact the Indian authorities, but nobody responded to their repeated emails.

The report further said that the ZDNet team had contacted the Indian Consulate in New York and alerted Devi Prasad Misra, consul for trade and customs, but even after a week the bugs had not been fixed. 

The report explained that the utility provider, which the did not name due to security reasons has access to the Aadhaar database through an Application Programing Interface (API), which the company relies on to check a customer's status and verify their identity.

"But because the company hasn't secured the API, it's possible to retrieve private data on each Aadhaar holder, regardless of whether they're a customer of the utility provider or not", it mentioned. 

“The affected endpoint uses a hardcoded access token, which, when decoded, translates to "INDAADHAARSECURESTATUS," allowing anyone to query Aadhaar numbers against the database without any additional authentication,” it stated. 

The researcher says that the API allows any hacker to try several combinations of Aadhar numbers and every time he hits a successful result, that person’s details can be found.

The researcher reportedly could send thousands of requests each minute -- just from one computer.

"From the requests that were sent to check for a rate limiting issue and determine the possibility of stumbling across valid Aadhaar numbers, I have found that this information is not retrieved from a static database or a one-off data grab, but is clearly being updated -- from as early as 2014 to mid 2017. I cannot speculate whether it is UIDAI that is providing this information to [the utility provider], or if the banks or gas companies are, but it seems that everyone's information is available, with no authentication -- no rate limit, nothing,” ZDNet quoted the reasercher as saying.

These claims came at a time when on Wednesday the Centre assured the top court that all data collected from millions of people under the Aadhaar scheme was safe and contained in a storage facility that was barricaded behind a fortified wall. Continuing its submissions in the ongoing matter challenging the constitutional validity of aadhar, the centre put the right to eat on a higher ground that the right to privacy.

Addressing concerns over data breach, the Centre said that data collected under Aadhaar was secure since it was kept in a building that has 10 ft thick walls.

Representing the Centre, Attorney General KK Venugopal also quoted former Prime Minister Rajiv Gandhi in the Supreme Court to put forth its arguments supporting Aadhaar.

He added  that the Aadhaar programme was not a “fly-by-night effort to score some brownie points” and urged the apex court to spare a few minutes and allow the CEO of UIDAI to present a power point presentation to quell all apprehensions behind the unique 12-digit biometric identification scheme.