1 Billion People Exposed in Aadhaar Data Breach

It is being billed as one of the worlds largest data breaches ever. 1 billion people have been exposed in the Aadhaar data breach.

The Sony data breach exposed the records of 70-77 million records. The Alteryx data leak exposed 123 million people. 143 million were exposed in the Equifax breach. That, of course, only puts this latest data breach into perspective.

Indian newspaper, Tribune India, said that people using WhatsApp were soliciting access to the database for a mere 500 rupees (about $9.80 Canadian). The newspaper paid the money and were given login credentials. It turns out, the credentials were real:

It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

When contacted, UIDAI officials in Chandigarh expressed shock over the full data being accessed, and admitted it seemed to be a major national security breach. They immediately took up the matter with the UIDAI technical consultants in Bangaluru.

(Link via the Guardian)

In response to the data breach, the UIDAI submitted an FIR against the newspaper and reporter for purchasing the data. This is happening while the UIDAI said that there is no data breach to begin with. From Indian Express:

A deputy director of the Unique Identification Authority of India (UIDAI) has registered an FIR against The Tribune newspaper and its reporter Rachna Khaira following her report on how anonymous sellers over WhatsApp were allegedly providing access to Aadhaar numbers for a fee.

The FIR also names Anil Kumar, Sunil Kumar and Raj, all of whom were mentioned in The Tribune report as people Khaira contacted in the course of her reporting.

Joint Commissioner of Police (Crime Branch) Alok Kumar confirmed that an FIR had been registered and an investigation launched. The FIR has been lodged with the Crime Branch’s cyber cell under IPC Sections 419 (punishment for cheating by impersonation), 420 (cheating), 468 (forgery) and 471 (using as genuine a forged document), as well Section 66 of the IT Act and Section 36/37 of the Aadhaar Act.

For those who don’t know, an FIR is a First Information Report. Wikipedia explains:

A First Information Report (FIR) is a written document prepared by police organizations in countries like Bangladesh, India, and Pakistan when they receive information about the commission of a cognisable offence, or in Singapore when the police receives information about any criminal offence. It is generally a complaint lodged with the police by the victim of a cognizable offense or by someone on his or her behalf, but anyone can make such a report either orally or in writing to the police.

For a non cognizable offense a Community Service Register is created & registered.

FIR is an important document because it sets the process of criminal justice in motion. It is only after the FIR is registered in the police station that the police take up investigation of the case. Anyone who knows about the commission of a cognizable offence, including police officers, can file an FIR.

So, essentially, charges seem to be forthcoming against the reporter and the newspaper for reporting on the breach.

In response to the FIR being filed, the Editors Guild is demanding that it be withdrawn. From Times of India:

The Editors Guild of India today sought government intervention for the withdrawal of an FIR filed by the UIDAI over a newspaper report on the breach of details of more than one billion Aadhaar cards and called for an “impartial” investigation into the matter.

“Instead of penalising the reporter, UIDAI should have ordered a thorough internal investigation into the alleged breach and made its findings public. The Guild demands that the concerned Union Ministry intervene and have the cases against the reporter withdrawn apart from conducting an impartial investigation into the matter,” the Editors Guild said in a press release.

Criticising the lodging of the FIR, the Guild said it was “deeply concerned” over reports that Unique Identification Authority of India (UIDAI) Deputy Director B M Patnaik had registered an FIR over The Tribune newspaper report in the Crime Branch of the Delhi Police.

“The Guild condemns UIDAI’s action to have The Tribune reporter booked by the police as it is clearly meant to browbeat a journalist whose investigation on the matter was of great public interest. It is unfair, unjustified and a direct attack on the freedom of the press,” it said.

The reporter of the Tribune newspaper has been booked under the Indian Penal Code sections 419 (punishment for cheating under impersonation), 420 (cheating), 468 (forgery), 471 (using a forged document) and also under sections of the Information Technology Act and the Aadhar Act, it added.

In a nutshell, the approach being taken by the authorities is basically shooting the messenger. The reporter in question exposed the scheme, not the data.

As for the size of the data breach, while the number of records exposed here is staggering, it isn’t the largest one in history. To our knowledge, it is second only to the Yahoo! data breach which had 3 billion records exposed. Even if it isn’t the worlds largest data breach, the size is staggering. Basically, this breach exposed about 2 in 15 people in the entire world. So, the damage that this could cause is no doubt going to be felt for quite some time.

Drew Wilson on Twitter: @icecube85 and Google+.


7 Trackbacks

Leave a Reply

Your email address will not be published. Required fields are marked *