The curious case of Aadhar and a data-breach

Last Updated: Fri, Jan 05, 2018 13:45 hrs
How Aadhaar centres are illegally charging you

If you are one among those who have already read about how data from the UIDAI is available for as low as Rs 500, there are high chances that you are already feeling vulnerable. After all, it is not everyday that critical details such as your biometrics, address,, schooling details, and a host of other records can be made available online, for as low as Rs 500.

Journalist Rachna Khaira, working for The Tribune wrote a story explaining how 10 minutes and Rs 500 opened a treasure trove of close to a billion odd Aadhar records for her. Here is a link to the story.

Officials from the Unique Identification Authority of India (UIDAI) expressed shock and surprise at this. An Additional Director General ranked official was quoted as saying that in the event of access being granted to more than two users (besides the Director General and Additional Director General), the case would constitute as a "national security breach".


Media reports suggest that messages forwarded on Whatsapp messaging app, have marketed themselves as offering access to Aadhaar data. 

3 lakh village level enterprise operators hired by the ministry of Information and technology, offering UIDAI data acquisition services became redundant after their bread and butter service was taken over by banks and designated post offices in November 2017.

VLEs since then have offered services such as Aadhar card printing, to stay afloat. However such services expose a loophole and could potentially result in misuse of data. It is estimated that over one lakh VLE service providers could have access to UIDAI data.

There is also speculation that hackers could have fraudulently gained access to a Rajasthan Government Aadhar portal named- The website was reported by a handful agencies to have allowed access to print Aadhaar cards of Indian citizens. 

There is nothing substantial still to confirm whether this website remains an official government portal or even a UIDAI one. found the owner of the website from a Whois tracking service. A whois service shares the details of the owner of the domain. The "Secretary and Commissioner" for the department of IT and Communication came up as the registrant for the domain.

After several media reports, the UIDAI came out with a tweet saying, "Claims of bypasing or duping the Aadhar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust uncompromised security. The UIDAI data centres are infrastructure of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions."

Although there are ways and means that hackers could have ended up spoofing or sharing incorrect details of the registrants, it is important to note that this is not the first time that there have been concerns on Aadhar data use and misuse. 

Here is the PIB tweet, which was re-tweeted by UIDAI:


It is difficult to believe the claims made by UIDAI. A gang in UP found an elaborate and a complex way to fake Aadhar card details. Although the gang was arrested recently, their story was published a few months ago across national media, and it explains how UIDAI and the nation's precious Aadhar data is certainly hackable. 

This gang made use of fingerprint scanners, laptops, rubber stamps and even bypassed UIDAI's security systems to fake enrollment details.

Besides this case, there have been speculative stories on how data center agencies, empanelled by UIDAI, could end up misusing Aadhar data.

At a time when the government is all gung-ho on expanding the UIDAI-led Aadhar as the government's distribution system to weed out corruption, there appears to be giant spanners in the works. 

In the event that simple data-records such Date of Birth, Mother's Maiden Name and PAN Card details have indeed been breached, these should be sufficient to set a new banking PIN, reset internet banking password, or even fraudulently alter mobile phone details such as address or even gain a duplicate SIM.

There could also be cases where victims suffer from spam SMS and emails that market the flimsiest of services and products. Agencies could also exploit Aadhar data to build an entire behavioral pattern, but at the cost of a user's privacy.

A recent case of Yahoo and its data-breach in 2013-14 comes immediately to mind, when one looks at the aspect of a data breach. 1.5 billion user accounts were jeopardized in the biggest data-breach in history. The event eroded $350 million worth valuation off Yahoo, during its sale to Verizon.

Will UIDAI confirm how reliable their security claims are? If not, will the government be ready to pay the price of  losing the citizens' trust?

Also Read: Google deploys patch for security flaws in chips

More from Sify: