Personal identities of many as 135 million Indian citizens with Aadhaar numbers have been leaked due to non-implementation of information security practices by government agencies.
Four government projects in India have made personal financial information and Aadhaar numbers of citizens public on their websites.
The Aadhaar number is a 12-digit unique-identity number issued by the Unique Identification Authority of India (UIDAI) to Indian citizens, which is very similar to social security numbers issued in the United States. Implemented on a war footing, Aadhaar numbers have been allocated to over 90% of the Indian population so far. As on 31st March, over 1.13 billion Indians had Aadhaar cards.
While Aadhaar is not legally mandatory, it helps citizens avail government services, open bank accounts, receive subsidies, apply for central and state jobs and also avail insurance and provident fund benefits. However, all that data is maintained digitally by UIDAI and is also used by smaller government agencies at state level. Questions have been raised time and again concerning the security of such a large database and if it was immune to hacking attempts.
The Centre for Internet and Society has now revealed that due to non-implementation of information security practices by four government agencies, unique identities and personal information of as many as 135 million Aadhaar users have been published online. The four agencies are the National Social Assistance Programme, the National Rural Employment Guarantee Act (NREGA), the Andhra Pradesh government’s Daily Online Payment Reports and Chandranna Bima insurance scheme.
"While initiatives such as the government open data portals may be laudable for providing easy access to government data condensed for easy digestion, however in the absence of proper controls exercised by the government departments populating the databases which inform the data on the dashboards, the results can be disastrous by divulging sensitive and adversely actionable information about the individuals who are responding units of such databases," said a report published by the Centre for Internet and Society.
"Thus, while availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are," it added.
The researchers were not only able to download such data as spreadsheets from government websites, but were also able to obtain full Aadhaar numbers of individuals due to inconsistent masking patterns. For example, some agencies masked the first four digits while others masked the middle digits, making it simpler for malafide hackers to join the dots. The researchers estimate the "number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million."
The most revealing database of all was that of the National Rural Employment Guarantee Act (NREGA). This country-wide scheme, which offers 100 days of guaranteed employment in a year, extends to 683 districts in the country with over 25,46,00,000 workers. The researchers could unearth sensitive personal information like job card numbers, Aadhaar card numbers, Bank/Postal Account Number, no. of days worked, Registration Numbers and account frozen status.
"These are cases where the data in question has not been treated as confidential at all, and the government agencies in question have, in fact, taken pains to publish them. Rather than leaks or security breaches, these are wilful and intentional instances of treating Aadhaar Numbers and other PII as publicly shareable data by the custodians of the data," said the report.
While the UIDAI has kept its own data secure, it has not ensured implementation of strict security standards in other government websites which are seeded with Aadhaar numbers, for which researchers at the Centre for Internet and Society have called the UIDAI "extremely irresponsible." Such irresponsibility now opens tonnes of data open to hackers who can either sell such data, commit identity fraud or misuse them for other purposes.
Photo courtesy: Financial Times (India)