UIDAI denies reported major Aadhaar security breach
The Unique Identity Authority of India (UIDAI) has responded to a media report claiming that access to the entire Aadhaar database could be purchased for 500 rupees (roughly $8) by saying that no biometric data has been breached, The Indian Express reports.
The Chandigarh-based Tribune media outlet claimed not only that it had purchased unrestricted access to details for any of the more than one billion Indian citizens from an anonymous WhatsApp user, but also that for an even smaller sum, it had purchased software enabling fake Aadhaar cards to be printed.
The UIDAI responded with a statement: “UIDAI reassures that there has not been any data breach of biometric database which remains fully safe and secure with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics.”
Local UIDIA officials expressed shock when told of the data’s availability, according to the report. “Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach,” Chandigarh UIDAI Regional Center Additional Director General Sanjay Jindal was quoted as saying.
The official UIDAI response, however, attributed the case to a “misuse of the grievance redressal search facility.” The agency said it would take criminal action against those responsible, but also that “Aadhaar data is fully safe and secure and has robust, uncompromised security.”
Even without the associated biometric information, Lisa Baergen, director at NuData Security, says it illustrates the importance of applying strong data security to personally identifiable information (PII).
“This kind of data breach shows how easy it can be for cybercriminals to access PII, and how organized cybercriminals can be in distributing this information — in this particular instance using anonymous WhatsApp groups to offer their services,” Baergen comments. “The UIDAI have suggested that no biometric data was accessed, but even so, the amount of PII that has been accessed provides a healthy pipeline for future cybercriminals. In future, organizations should take more stringent security measures in protecting PII, including passive biometrics and two factor authentication.”
As previously reported, the UIDAI was forced to issue a statement in November asserting that the publication of Aadhaar numbers and other information did not constitute a major security breach, as Aadhaar numbers themselves are not secret, and can only be utilized with the biometrics of the individual.