Aadhaar 1 Billion Person Data Breach Sparks Litigation

The massive Aadhaar data breach saw 1 billion people exposed to anyone willing to pay 500 rupees. Now, litigation is commencing by a human rights organization.

The Aadhaar database contains biometric and personal data of almost every adult living in India. It is a government mandated collection of information. The UIDAI (Unique Identification Authority of India) insists the information is safe. Unfortunately, as we found out over the weekend, that confidence has been shaken to the core as it suffered a breach.

The data breach was discovered by a reporter working for Indian newspaper the Tribune. Someone was selling log-in credentials for a mere 500 rupees (about $9.80 Canadian). For an additional 300 rupees, ID cards could be printed for anyone requested in the database. When the reporter paid the 500 rupees, he found himself with legitimate access to the database.

In response, the UIDAI repeatedly said that there was no breach or leak of any kind. Curiously, they also filed an FIR (First Information Report) to initiate criminal charges against the reporter and the newspaper anyway in spite of their claims of the data being safe. In response to that, the Editors Guild of India demanded that the FIR be withdrawn.

Now, the fallout is growing. According to The Tribune (the same paper that reported this incident in the first place), human rights activist and chairman Ranjan Lakhanpal of the World Human Rights Protection Council filed public interest litigation in the Punjab and Haryana High Court calling for an independent probe into the incident. From the report:

Lakhanpal alleged the government was trying to muzzle the press. “We have demanded that the FIR lodged with the cyber cell of Delhi Police be withdrawn and those responsible for the data leak brought to book.”

Meanwhile, Himanshu Pathak, PPCC vice-president, has lodged a police complaint against AB Pandey, CEO, Unique Identification Authority of India (UIDAI). He has demanded that a case be filedfor “failing to protect personal details”. Police Commissioner Praveen Sinha said legal opinion would be sought before initiating a probe.

With the way things are going, this only sounds like the beginning of a much more long and drawn out process. It is really hard to sweep a breach affecting pretty much the entire country under the rug in most countries. It seems India is no exception to this. Britain knows this all too well. Back in 2007, two CDs containing unencrypted data on half the population of the country was lost in the mail. It sparked emergency government sessions and a whole lot of political turmoil.

It’ll be interesting to see how the story unfolds in India.

Drew Wilson on Twitter: @icecube85 and Google+.


1 Trackback

Leave a Reply

Your email address will not be published. Required fields are marked *