Another Data Breach Affects Aadhaar Users – 34.5 Million Possibly Compromised Drew Wilson | May 11, 2018 There’s been another data breach related to Aadhaar. This time, a service linked to the database had their information compromised. There could be fresh concerns regarding the Aadhaar database. This time, it is related to a service linked to the biometrics database. From Quartz: On May 01, a letter from the central provident fund commissioner, V P Joy, to Dinesh Tyagi, the CEO of the government’s Common Services Centre (CSC), which provides digital services, was leaked on Twitter. Dated March 23, the letter said that the Intelligence Bureau had found that data had been “stolen by hackers exploiting the vulnerabilities prevailing in the website (aadhaar.epfoservices.com) of the EPFO.” On the website, hosted at the National Data Centre but managed by the CSC, individuals could link their provident funds with Aadhaar, India’s biometric identity programme. While not mandatory, the EPFO had been encouraging subscribers to link their accounts with Aadhaar to improve the delivery of services. Joy reportedly stated in the letter that the EPFO had stopped the servers of the site and discontinued its hosted services, and urged Tyagi to plug the security gaps. The website maintained confidential information such as Aadhaar and PAN numbers (taxpayer identification codes), as well as salary details. It’s not clear how many Indians may have been affected but the EPFO has reportedly linked 34.5 million active provident fund accounts with Aadhaar. No one has claimed responsibility for the hack as yet. The Unique Identification Authority of India, which is responsible for the Aadhaar platform, has clarified that the affected website does not belong to it, and that no data breach has occured at its end. On May 02, the EPFO released a statement saying “no confirmed data leakage has been established or observed so far.” A senior official told The Times of India newspaper that the data was completely secure and there was no need to panic. This isn’t the first time the Aadhaar system faced questions about the security of personal information. Last January, the Aadhaar database itself suffered a breach where anyone willing to pay 500 rupees could access anyone’s personal information. The breach ultimately affected 1 billion people and is not only one of the largest database breaches in history, but arguably the most significant. The breach sparked litigation. In response, the authority behind Aadhaar went into damage control, trying to reassure the people of India that their information is safe. In fact, reports later surfaced that suggests that the authority contemplated litigating journalists reporting on the breach. Obviously, with another breach taking place, it’s going to make it harder to sell the idea that the Aadhaar system is secure. This latest breach shows that May is beginning to show signs that it too will be an active month in terms of leaks and breaches. Last month, Saks and Lord & Taylor suffered a breach where 5 million credit cards were compromised. Days later, Panerabread suffered a data leak that potentially exposed 37 million customers. An unknown number of people had their information compromised during the Sears and Delta data breach. That breach also saw Best Buy and Kmart folded into the mix. The month ended with a considerable bang when VNG apologized after 163 million of their accounts were exposed in a data breach. While this month seem to get off to a slow start, the first breach we’ve been able to report shows that we are heading into another eventful month. Drew Wilson on Twitter: @icecube85 and Google+.