Aadhaar Data Breach — How Sensitive Data Of 1.3 Billion Indians Was Compromised

The World Economic Forum’s (WEF’s) Global Risks Report 2019, says, “The largest (data breach) was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs 500 for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.”

In the recent years, Governments around the world have proactively pushed their policies to build an efficient digital identity ecosystem. Such positive actions represent the desire by world societies to advance beyond their traditional and inefficient paper-based existence, to highly integrated digital economies. One such concept was the Aadhar from the Government of the Republic of India. It is a unique 12-digit number that is provided to the citizens of India for the successful enrolment of their data into the Aadhaar database. The official body that looks out the operations of the Aadhaar venture is UIDAI (Unique Identification Authority of India). Installations of Aadhaar system, include biometric data components such as iris scans and fingerprints. A successful enrolment is confirmed when the nature of the biometrics captured meet certain conditions and when they pass the redundancy check, i.e verification of the given biometrics with the existing data in the Aadhaar to avoid counterfeit enlistment of data. As of November 2021, 1.3 billion Aadhaar has been produced at an expenditure of around 60 billion Rupees. It should be secured because there will be a lot of sensitive data stored in this database.

The rewards associated with the implementation of such digital identity systems include public and, or commercial services accessibility for the greater population of the country. The Aadhaar database holds personal information and biometric data — like iris scans and fingerprints of more than 1.3 billion Indian residents. Anyone enrolled in the database can use their information to open a bank account or apply for a Passport and even buy their car or book hotel stays. Even companies and organizations like Zomato or OLA can take advantage of the Aadhaar data to recognize their clients. However, there is also a possibility for substantial long-term risks in relation to the utilization of digital identity systems; such risks must therefore be addressed and without fail.

Timeline of Breaches:

• February 2017–500–600 thousand children’s Aadhaar information was leaked through a government agency in Telangana state.
• March 2017 — Ministries of Drinking Water and Sanitation and Human Resource Development publicly exposed an unknown number of Aadhaar numbers to the public.
• April 2017 — Numerous reports on new leaks from government and industry websites that left millions of personal information including Aadhaar numbers exposed to the public.
• May 2017–130–135 million Aadhaar numbers along with 100 million bank account numbers were exposed through 4 government websites. Websites belong to services including social assistance, employment, payment reports, and insurance.
• August 2017–20,100 Aadhaar numbers leaked through a Punjab government website. The victims were the applicants for the low-cost housing program.
• October 2017 — Punjab medical college exposed 12,200 students Aadhaar details
• January 4, 2018 — A local newspaper published an article on how they were able to access and search through the entire database records by paying as low as $8 to an individual on WhatsApp. The records contained information such as names, emails, addresses, phone numbers, and postal codes. It was also found that this confidential information for as low as 2–7 cents per record.
• March 2018 — A faulty Aadhaar software patch was released. It provided users with elevated access levels and allowed them to bypass critical security features such as iris scan and GPS location verification. This vulnerability has reportedly exposed the entire database, which at the time contained about 1.2 billion records.
• April 26, 2018 — Aadhaar information leaked for 8.9 million workers through a government website. The employment assistance program website is maintained by a well-known IT company that is contracted by the government.
• April 27, 2018 — This leak was initially introduced in February 2017. Three months later, the number of leaked Aadhaar records belonging to school children raised from 500–600 thousand to 6.7 million.
• April 30, 2018 — A government website leaked around 2 million Aadhaar numbers of pregnant women, along with detailed health tracking information. The data contained reproductive history, risk status, the result of the pregnancy, and in some cases infants’ vaccinations history. Data was originally gathered by the government for tracking the mortality rate.
• Feb 15, 2019 — The latest breach was reported on 6.7 Million exposed records due to yet another misconfigured government website. A state-owned oil and gas company named Indane was responsible for the breach. Indane’s website contained a section for customers’ information that not only provided access to the public but also left completely exposed and unprotected. The customer’s personal and confidential information such as name, address, and Aadhaar number were leaked due to lack of any authentication method on the local dealer portal.

How did the breach happen?

A software patch, which could be purchased for a minimal amount of $35, permits unauthorized people, based out of anywhere on the planet, to create Aadhaar numbers. A patch is a collection of code that is implemented to change a PC program or update, fix, or improve it. This incorporates fixing bugs.

1. The patch lets users bypass critical security features imposed such as biometric authentication of enrolment operators to generate unauthorized Aadhaar numbers.
2. The patch could disable the enrolment software’s in-built GPS security feature that was mainly used to locate the physical location of every enrolment centre, which means anyone anywhere in the world — say, Beijing, New York, or London — can use the software to enrol users.
3. The patch reduced the sensitivity of the enrolment software’s iris-recognition system tremendously, making it easier to spoof the software with a photograph of a registered operator, rather than requiring the operator to be present in person.

Over 70 subdomains under a Government of India website were providing access to demographic-authentication services without requiring identity verification from the requester. The websites allowed users easy accessibility to an application programming interface, or API, in which anyone can enter an individual’s Aadhaar number, name, gender, and date of birth, and be directed to a page that either reads “yes” or displays an error message, indicating whether the information corresponds to a valid entry in the Aadhaar database. Providing such unrestricted access to API raised major concerns of privacy and was exploited by hackers seeking to uncover people’s Aadhaar numbers. It clearly violated the Aadhaar Act, which is the law governing India’s nationwide digital-identity program.

What led the breach to happen?

In 2010, the UIDAI allowed private agencies around different parts of the country to enrol users in the Aadhaar system to speed up enrolments. In the same year, Bengaluru-based Mindtree won a contract to develop an official, standardized enrolment software — called the Enrolment Client Multi-Plataforma (ECMP )- that would be installed onto the thousands of computers maintained by these private operators. Instead of using a web-based system in which all software would be installed on the UIDAI’s servers and enrolment operators would have a username and password to access the system, software’s were installed on each enrolment computer. Web-based enrolment software for Aadhaar was not practical at the time because many parts of the country had very poor Internet connectivity. To make data security fool proof, more features were added to the software that was used by Aadhaar enrolment operators. The operators needed to log in to the software by first providing their fingerprint or iris scan. Also, a GPS device was attached to verify the location of the login. However, in early 2017, these security features were bypassed by a software hack.

The culprits here are exploiting access rights of over 3 lakh village-level enterprise (VLE) operators. During the initial days of Aadhaar enrolment, the Ministry of Electronics, and Information Technology (ME&IT) had hired around 3 lakh VLEs under the Common Service Centres Scheme (CSCS) for enrolling citizens into Aadhaar. In April 2017, such initiatives were banned, and only post offices and bank premises were allowed to be used for Aadhaar enrolment. These lakhs of VLEs suddenly became jobless, and to get some additional income, they started offering ‘Aadhaar services’ to edit or modify details of others. But some of them crossed the line and started offering full access to the Aadhaar database, using their IDs and passwords. This is a major security lapse, as UIDAI should have terminated all such VLEs access from the UIDAI database.

Mitigation steps to avoid future data breaches:

1. Provide security education and training

To help your workforce steer clear of ransomware and other malware, they need to know what they are, how they work, and what precautions to take. Getting locked out of devices or files, or having sensitive data stolen has serious consequences for an organization. A spear-phishing crime spree on 300 U.S. universities (and others around the globe) in March of 2018 resulted in the theft of 31 terabytes of data worth US$3 billion in intellectual property. About 8,000 users clicked on malicious links and entered their network login credentials.

2. Enforce strong passwords

A strong password is the first line of defence against intruders and imposters. Users need reminders to never share them, to not use just a single password across systems. One study evaluated 6.1 million anonymized passwords and found the most dangerous mistake people make is recycling the same password (or making slight changes) and using it across numerous websites. Unique long-character passwords that mix case-sensitive letters, numbers, and special symbols are still the most durable.

3. Use safe data transfer

Reduce the ability to transfer data from one device to another to decrease the risk of data getting into the wrong hands. The use of secure transmission protocols over a secure channel offers safe data transfers. Malicious users may intercept or monitor plaintext data transmitting across an unencrypted network and gain unauthorized access to data.

4. Screen third party vendors

Your security is only as good as the weakest link. It’s easy to overlook the trustworthiness of your third-party vendors and consultants. Make sure they’ve enabled the proper security protocols that prevent hackers from accessing their network and then infiltrating yours. An intrusion prevention system (IPS) is a must-have to monitor your network or systems for malicious activities or policy violations.

5. Control hardware access

Regulate employee computers and devices that have access to company data. This can be significantly aided by using encrypted PCs and devices. In any workplace setting, several devices can be connected to a server. This requires administrators to control access to systems, monitor and limit resource use, protecting files, among other important functions to maintain high levels of security.

6. Consider a private cloud

Prevent open access to sensitive data by creating an internal private cloud infrastructure where access is allocated to a select number of users who need the data. IT manages and makes available secure, cloud services instrumental to driving specific business needs.

7. Use advanced authentication

Implement password updates and two-step authentication to mitigate the risk of unauthorized access. To reduce the risk of a data breach, you can also limit the websites that can be accessed from work devices, invoke frequent password changes, update security software, and monitor access to data.

8. Update software

Keep software current to prevent gaps in your security. Older software with bugs and exploited holes in code are vulnerable to attack. Regular software maintenance helps minimize system hacking.

References

• Indian Data Privacy Laws and EU GDPR. (n.d.). Retrieved July 22, 2019, from https://www.roedl.com/insights/india-eu-gdpr-data-privacy-law
• Dixon, P. (2017). A Failure to “Do No Harm” — India’s Aadhaar biometric ID program and its inability to protect privacy about measures in Europe and the U.S. Retrieved July 22, 2019, from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5741784/
• Jain, M. (2018, January 09). More trouble for Aadhaar? PIL in Supreme Court lists a series of violations. Retrieved July 15, 2019, from https://www.indiatoday.in/india/story/pil-supreme-court-lists-aadhaar-violations-1130070-2018-01-08
• Chikermane, G. (n.d.). Aadhaar breach is serious, but the bigger challenge is a data and privacy protection law. Retrieved July 10, 2019, from https://www.orfonline.org/expert-speak/aadhaar-breach-serious-bigger-challenge-data-privacy-protection-law/
• Aadhaar details available for Rs 500? UIDAI says ‘no data breach’. (2018, May 04). Retrieved July 10, 2019, from https://www.businesstoday.in/current/economy-politics/aadhaar-details-sold-for-rs-500-uidai-data-breach/story/267314.html
• Big data breach! Aadhaar software hack raises major security concerns. (2018, September 11). Retrieved July 2, 2019, from https://www.businesstoday.in/current/economy-politics/aadhaar-software-hack-uidai-data-ghost-entries/story/282260.html
• Aadhaar security breaches: Here are the major untoward incidents that have happened with Aadhaar and what was affected- Technology News, Firstpost. (2018, September 25). Retrieved July 08, 2019, from https://www.firstpost.com/tech/news-analysis/aadhaar-security-breaches-here-are-the-major-untoward-incidents-that-have-happened-with-aadhaar-and-what-was-actually-affected-4300349.html
• Pti. (2019, February 14). No Security Breach Of Aadhaar Database, UIDAI Tells Court. Retrieved July 22, 2019, from https://www.bloombergquint.com/aadhaar/no-security-breach-of-aadhaar-database-security-controls-robust-uidai-tells-hc
• Pti. (2018, July 23). Data breach incidents in India are higher than the global average. Retrieved July 16, 2019, from https://economictimes.indiatimes.com/tech/internet/data-breach-incidents-in-india-higher-than-global-average/articleshow/65107118.cms
• Ians. (2019, February 19). Indane leaked millions of Aadhaar numbers: French security researcher. Retrieved July 20, 2019, from https://economictimes.indiatimes.com/news/politics-and-nation/indane-leaked-millions-of-aadhaar-numbers-french-security-researcher/articleshow/68058639.cms
• Thaker, A., & Thaker, A. (2018, December 26). In a year of data breaches, India’s massive biometric program finally found legitimacy. Retrieved July 22, 2019, from https://qz.com/india/1501568/in-2018-supreme-court-backed-indias-aadhaar-despite-data-leaks/
• Data Protection & Privacy Issues in India. (2017, September 01). Retrieved July 06, 2019, from https://elplaw.in/wp-content/uploads/2018/08/Data-Protection-26-Privacy-Issues-in-India.pdf
• WikiLeaks. (2017, August 25). See also “#Aadhaar in the hand of spies” https://t.co/J0sBghQ6EJ. Retrieved from https://twitter.com/wikileaks/status/901148660163117060?lang=en