In 2009 the Government of India launched a project to assign a 12 digit verifiable number to each of its citizens, known as the Aadhaar number. The Aadhaar number is linked to each resident via multiple factors include basic demographic information, bio-metric data (including photograph), and all fingerprints and iris scans. Since the launch of the program, the Aadhaar number has been also been linked to cell phone accounts, bank accounts, tax filings, scholarships, pensions, rations, school admissions and also health records. Aadhaar is told to be the world’s largest bio-metric ID system for storing records of about 90% of the India’s population, or roughly 1.22 billion people.
The Indian government has been very proud of the technology and implementation of sophisticated security measures in the program. In fact, Aadhaar is claimed by the government to be “un-breachable”. However, over time details of been disclosed of numerous Aadhaar data breaches, each varying in sizes, and also referred to the lack of security controls on this huge and critical database.
Timeline of Breaches:
February 2017 – 500-600 thousands children’s Aadhaar information were leaked through a government agency in Telangana state.
March 2017 – Ministries of Drinking Water and Sanitation and Human Resource Development publicly exposed unknown number of Aadhaar numbers to the public.
April 2017 – Numerous reports on new leaks from government and industry websites that left millions of personal information including Aadhaar numbers exposed to the public.
May 2017 – 130-135 million Aadhaar numbers along with 100 million bank account numbers were exposed through 4 government websites. Websites belong to services including social assistance, employment, payment reports, and insurance.
August 2017 – 20,100 Aadhaar numbers leaked through a Punjab government website. The victims were the applicants for low-cost housing program.
October 2017 – Punjab medical college exposed 12,200 students Aadhaar details
January 4 2018 – A local newspaper published an article on how they were able to access and search through the entire database records by paying as low as $8 to an individual on Whatsapp. The records contained information such as names, emails, addresses, phone numbers and postal codes. It was also found that this confidential information for as low as 2-7 cents per record.
March 2018 – A faulty Aadhaar software patch was released. It provided users with elevated access level and allowed them to bypass critical security features such as iris scan and GPS location verification. This vulnerability has reportedly exposed the entire database, which at the time contained about 1.2 billion records.
April 26, 2018 – Aadhaar information leaked for 8.9 million worker through a government website. The employment assistance program website is maintained by a well-known IT company that is contracted by government.
April 27, 2018 – This leak was initially introduced on February 2017. Three month later, the number of leaked Aadhaar records belonging to school children raised from 500-600 thousands to 6.7 million.
April 30 2018 – A government website leaked around 2 million Aadhaar numbers of pregnant women, along with detailed health tracking information. The data contained reproductive history, risk status, the result of the pregnancy, and in some cases infants’ vaccinations history. Data was originally gathered by the government for tracking mortality rate.
Feb 15 2019 – The latest breach was reported on 6.7 Million exposed records due to yet another misconfigured government website. A state-owned oil and gas company named Indane was responsible for the breach. Indane’s website contained a section for customer’s information that not only provided access to the public but also left completely exposed and unprotected. Customer’s personal and confidential information such as name, address and Aadhaar number were leaked due to lack of any authentication method on local dealer portal.
What is the government reaction?
The Government is fighting many battles to prove the security and safety of the citizen’s information. They have repeatedly ignored any possibility of system vulnerability and assured the integrity and confidentiality of database information, yet the number of breaches in a short period of time say otherwise.
India’s Tribune newspaper reported they were able to get access to the Aadhaar database. Reports from an alleged person on the same newspaper indicates that for $95 the person was given admin privilege on the system. Admins can create new usernames and passwords or even more admin accounts with same capabilities. On another incident the reporter was able to access and search the entire database by transferring only $8 to an individual on WhatsApp. Such reports, if true, threatens the database integrity and allows for creating fake name and ID, and eventually leading to identity theft on a scale never imaginable before.
Meanwhile, the Unique Identification Authority of India (UIDAI), which administers the Aadhaar system continues to discredit any news on vulnerability of Aadhaar system and possibility of security breach. They have said in statement that “Aadhaar data is fully safe and secure and has robust, uncompromising security.” There have pressed charges against the researchers and/or journalists that begged to differ.
What Could Have Been Done?
100% security of anything does not exist! A robust environment requires constant monitoring and assessments to ensure the security of its data and operations. This includes solid documentation such as network diagrams, users and access privileges, policies and procedures, roles and responsibilities as well as communication plans. To make things worse for Aadhaar, they reportedly had not provided any communication to the various integration partners of the software vulnerabilities or previous breaches. In fact, there are many reports of people who managed to report system bugs, but were publicly harassed, so many local security reporters that identified the vulnerability, did not report it for fear of being arrested or being treated the same way.
Connecting more devices together, increasing accessibility, and demanding high-availability of data is considered to be a necessity for today world. One aspect that seems to be underestimated however, is the security of this information and its devastating consequences if ended up in wrong hands. Luckily, there are standards, best practices, and Frameworks designed to help organizations with their Cyber Security initiatives. Security assessments are great way for your organization to get a better perspective on its overall security posture and identify vulnerable spots within your network. They determine your deviation from compliance and industries’ best security practices and highlights the gaps within your existing security control.