Indian govt’s insistence that Aadhaar is secure rings hollow in wake of breaches
India is bleeding biometric information, with new data breaches giving credence to a recent report by the credit rating agency Moody’s warning that Aadhaar’s centralized biometric digital ID system has privacy and security vulnerabilities.
A piece in Security Affairs reports that earlier this month, the cybersecurity firm Resecurity found hundreds of millions of records containing personally identifiable information (PII) for sale on the dark web. Aadhaar cards were among the data on offer.
Also in October, the PII of applicants to a program for young filmmakers at the International Film Festival of India was exposed on a government website for the event. The Deccan Herald reports that the Times of India was able to access a parent directory that contained the Aadhaar IDs, PAN cards and other PII of more than 100 people who applied through the National Film Development Corporation (NFDC).
Furthermore, as reported in The Hindu, a police raid on a brothel in Bengaluru found that sex workers had been given fake Aadhaar cards, and prompted an investigation into wider production of fake government IDs, voter cards and other documents.
And finally, there is the now-resolved case of fingerprint biometrics, digital ID numbers, identity documents, photographs and images submitted to Aadhaar being exposed by the West Bengal state government website.
The Indian government has shown little interest in taking responsibility for any security lapses. In response to Moody’s claims that Aadhaar’s fingerprint biometrics system is unreliable in humid climatic conditions and problematic for manual laborers, and that the centralized data management system gives users no control over their data, the Ministry of Electronics and IT published a scathing retort boldly arguing that no data breaches have been recorded and calling Aadhaar “the most trusted digital ID in the world.”
“The Moody’s report ignores that biometric submission is also possible through contactless means like face authentication and iris authentication,” the statement reads. In the case of the film festival, an unnamed government source told the Times of India that the Creative Minds of Tomorrow portal had been outsourced by NFDC to a separate web development agency, which bears responsibility for the breach. And an earlier claim about a breach on CoWIN was dismissed as mischief.
Aadhaar digital IDs use core biometric markers of 10 fingerprints and two iris scans. The ID is linked to a wide array of government services, and plans are underway to link voter registration to Aadhaar.
A recent IBM Security report pegged the average cost of a data breach in India at 179 million rupees (around US$2.1 million), a 28 percent increase from 2020.