Indian government portal leaks 8.9mn Aadhaar details, again

• Two consecutive leaks from Kodali of Aadhaar numbers
• Posted leaked numbers on Twitter
• Database maybe secure but government portals need additional security

Two new cases have come to light with a total of 8.9 million Aadhaar numbers of MGNREGA beneficiaries leaked through the Andhra Pradesh Benefit Disbursement Portal. The details were spotted by Srinivas Kodali, also known as @digitaldutta, who published screenshots on Twitter.
His earlier tweet shows how people’s Aadhar numbers are being to used to collate data on their location, religion, caste, phones numbers and bank account numbers.
The first leak by Kodali was from the Andhra Pradesh State Housing Corporation. It showed an even grimmer reality of how Aadhar numbers are being linked to caste, the type of house a person lives in and the extent of damage it has suffered.
Since then, he has reported the issue to the authorities, but his fear is that the surveys conducted in Andhra and Telangana have allowed citizens to carry phones and biometric readers, collecting private information on almost every individual.

Not the first time

Most recently, Karan Saini, a security researcher, told ZDNet that Aadhaar card information could be obtained through Indane’s system, a state-owned utility company. According to them, they tried to contact the authorities for over a month through several avenues but to no avail.

The affected endpoint was only pulled offline once the story had gone live.

The Tribune also looked into the Aadhaar database and found that they could attain all the details about a person by typing in the 12-digit unique identification number once they paid an agent ₹500 (approximately $8). For another ₹300 (approximately $5), that same individual could even print out a copy the Aadhaar card, which could then be used to access various government schemes.

Even the Android Aadhaar app was hacked by Robert Batiste, a french researcher, in under a minute.
That said, Aadhaar breaches haven’t been directly through the Aadhaar database, but through various government portals and third-parties. So, Ajay Bushan Pandey, CEO of UIDAI, wasn’t incorrect when he said that there have been no data leaks from the UIDAI database.

The Aadhaar card system, in its usage, is more than just the database. There’s a wide ecosystem to be take in to account where security concerns are yet to be addressed. A secure database doesn’t necessarily imply security of information since so much of it exists outside the Aadhaar database itself.