Want Anybody's Personal Details From Aadhaar, India's Billion-Person Identity Database? Yours For $8

from the Aadhaar-admin-accounts-also-available-on-request dept

We've been writing about the world's largest biometric database, India's Aadhaar, since July 2015. Over 1.1 billion people have now been enrolled, and assigned an Aadhaar number and card, which represents 99.9% of India's adult population. There are currently around 40 million authentications every day, a number that will rise as Aadhaar becomes inescapable for every aspect of daily life in India, assuming it survives legal challenges. That scale necessarily entails a huge infrastructure to handle enrollment and authentication. So it will comes as no surprise to Techdirt readers that it turns out you can obtain unauthorized access to the Aadhaar system very easily, and for very little cost. As the Indian newspaper The Tribune revealed:

It took just Rs 500 [about $8], paid through Paytm [an Indian online payment system], and 10 minutes in which an "agent" of the group running the racket created a "gateway" for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

What is more, The Tribune team paid another Rs 300 [$4.75], for which the agent provided "software" that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news, and led to some breathless damage limitation by the Indian authorities on Twitter. The UIDAI explained that: "Some persons have misused demographic search facility, given to designated officials to help residents who have lost Aadhaar/Enrollment slip to retrieve their details"; and: "There has not been any data breach of biometric database which remains fully safe & secure with highest encryption at UIDAI and mere display of demographic info cannot be misused without biometric". Although it may be true that this is not a biometric data breach, it nonetheless reveals a serious vulnerability in the system's design, and on a vast scale. According to the original article in The Tribune, more than 100,000 "village-level enterprise operators", hired to help with Aadhaar enrollment, have been offering this kind of unauthorized access to the database. In fact, the problem seems to be even more serious than simply providing login credentials to thousands of people. Here's what another Indian site discovered:

Following up on an investigation by The Tribune, The Quint found that completely random people like you and me, with no official credentials, can access and become admins of the official Aadhaar database (with names, mobile numbers, addresses of every Indian linked to the UIDAI scheme). But that's not even the worst part. Once you are an admin, you can make ANYONE YOU CHOOSE an admin of the portal. You could be an Indian, you could be a foreign national, none of it matters -- the Aadhaar database won't ask.

Even if biometric data is not involved, it's hard to see how UIDAI could claim that these aren't breaches of the database, or deny that the entire Aadhaar system is seriously compromised. It's almost inevitable that the security of an important database system will be defeated eventually in some way, since the rewards are by definition so high. The fundamental problem with Aadhaar is its underlying intent -- to create a single, giant database with key personal information about a billion people that can be accessed very frequently and very widely. That's never going to be safe, as the inevitable future breaches will confirm.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aadhaar, database, hacked, id, identity, india, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 8 Jan 2018 @ 12:13pm

    Oh boy, it's going to be funny to watch when they have to change the citizenry passwords. Oh wait, they won't because you can't change biometry.

    *grabs popcorn*

    This is going to be an interesting shit show.

    link to this | view in thread ]

  2. icon
    Roger Strong (profile), 8 Jan 2018 @ 12:51pm

    In unrelated news, Wells Fargo stock value jumps after reports of a billion new users signing up for accounts and credit cards.

    link to this | view in thread ]

  3. identicon
    Pixelation, 8 Jan 2018 @ 12:54pm

    "Given the repeated assurances by the UIDAI that the Aadhaar database was completely secure, this is big news"

    It is completely secure...when it's completely shut off.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 8 Jan 2018 @ 1:46pm

    Apparently they outsourced their tech support...

    ...to Bangalore.

    link to this | view in thread ]

  5. identicon
    Dan, 8 Jan 2018 @ 2:36pm

    Weakest link :)

    You need to define data breach first. It doesn't need to be a very highly skilled hacking into the system and copying to the wild. It can just be one of the 1000s of weakest links with a login and password :)

    link to this | view in thread ]

  6. icon
    Drew_Wilson (profile), 8 Jan 2018 @ 3:31pm

    They Want to Jail The Reporter

    The punchline is that the UIDAI is actively trying to jail the reporter and file criminal charges against the newspaper for bringing this whole thing to light through an FIR: http://www.freezenet.ca/1-billion-people-exposed-aadhaar-data-breach/

    Methinks someone at the UIDAI is embarrassed right now.

    link to this | view in thread ]

  7. identicon
    Christenson, 8 Jan 2018 @ 3:59pm

    Re: They Want to Jail The Reporter

    So, can I please have the ID card for the Prime Minister? I want to be him for an hour or two's joyride!

    link to this | view in thread ]

  8. identicon
    Deepak, 8 Jan 2018 @ 4:15pm

    Lol. It is not unauthorized access.
    Some official with an authorized access to a customer grievance portal allowed someone to lookup for name and address for a given aadhar number. Do you share your SSN? If others don't have your aadhar they can't lookup your details. Its funny how people interpret this as a compromise of UIDAI system.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 8 Jan 2018 @ 5:26pm

    Re:

    Yeah - it's not big deal, nothing to see here - move along.
    They are going after the reporter for other unrelated reasons I'm sure

    /s

    link to this | view in thread ]

  10. identicon
    CHIDANANDA KAKUNJE, 8 Jan 2018 @ 6:27pm

    Google has more for free

    If you search by last name or first name there is lot many info available for free, why spend r₹500?

    link to this | view in thread ]

  11. icon
    Drew_Wilson (profile), 8 Jan 2018 @ 7:19pm

    Re: Re: They Want to Jail The Reporter

    All it costs if 500 rupees to gain access to the database and an additional 300 rupees to print the cards, so really, the only thing stopping you is a couple of clay pots and getting in contact with whoever was selling that access on WhatsApp, really.

    link to this | view in thread ]

  12. icon
    Coyne Tibbets (profile), 8 Jan 2018 @ 8:14pm

    Six Degrees of Separation

    An admin can make anyone an admin?

    I think it is time to give this Six Degrees of Separation thing a trial. All the admins make everyone they know an admin and let's see if we can get the whole planet signed up.

    Can admins demote other admins? If they can, then bonus points if we can lock all of the proper admins out.

    link to this | view in thread ]

  13. identicon
    Andrew Watson, 9 Jan 2018 @ 2:22pm

    As predicted ....

    It's all playing out exactly as predicted by the NO2ID campaign when it was fighting the proposed United Kingdom ID card ten years ago:

    https://www.no2id.net/wp-content/uploads/2013/12/database-man.pdf

    https://www.no2id.net/wp-conten t/uploads/2013/12/takejane-

    After an extended narional campaign, we got the UK scheme stopped. Thank goodness.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.