Aadhaar numbers being stored by others apart from UIDAI are not secure
On February 17 being informed about a website publishing various details of potentially 5–6 lakhs children including their Aadhaar numbers, I informed authorities responsible for the website to bring it down and the website was brought down at the earliest. The website was publishing several attributes including aadhaar number, name of the child, both parent’s name, gender, caste, signature and photo. The core biometrics of the individuals affected are probably secure as this was a third party website storing the mentioned information along with Aadhaar. This was a data leakage with lapse measures around information design and without any access management controls or encryption to store data securely on the website servers.
After the website was brought down I have filed an incident report with supporting evidence to National Critical Information Infrastructure Protection Center (NCIIPC) along with Unique Identification Authority of India (UIDAI) on 19th February. The website was not cached on any major search engines and neither on archive systems like the wayback machine. But it would be fair to say the metadata of servers and domains are quite public and its allied websites might contain similar data. It is for the authorities to conduct forensic analysis and look into it this leak further.
Now as curious as everyone wants to know further details about what the organization was and why were they storing this information in the first place, I am not at liberty to disclose any further information until relevant authorities conclude their investigation and release further information. There are lot of questions for which I seek answers as well, how long the website has been running, how much information was accessed during this time-period and whether this information was accessed by non-state actors? These are questions which can only be answered through a forensic analysis of the servers which are only accessible to the website maintainers and relevant authorities.
In India there is no mandatory disclosure law related to cyber security incidents and the authorities may not even disclose who were the affected parties in this incident. I do not know the list of all individuals affected by this leak as I did not access any major information apart from what is needed for minimal evidence to be submitted to the authorities. The Aadhaar Act of 2016 has provisions to issue new Aadhaar numbers and whether UIDAI will issue them to the affected parties is a serious question.
This is not the only website out there which is storing various identity data linking Aadhaar as a key in the databases. Private identity verification providers like OnGrid are collecting larger individual attributes by linking it to Aadhar. The bigger question is whether these databases are secure and are being subjected to any security and compliance standards by UIDAI? There are several questions which need answers from UIDAI and its founding architects in regards to the security, robustness and functionality of Aadhaar servers/API’s and verification mechanisms to the larger public. I hope UIDAI answers some of these for us preferably through an open house on security before citizens lose little faith they have left in the authority. I have little incentives to actually report issues to authorities if they don’t respond or acknowledge the reports I sent.
Originally published at www.lostprogrammer.com on February 22, 2017.
