Indian state government leaks thousands of Aadhaar numbers | TechCrunch (2024)
A lapse in security has led to the leaking of more than 100,000 Aadhaar numbers, TechCrunch can reveal.
One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.
But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.
The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data.
Aadhaar numbers aren’t strictly secret, but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy somethingon Amazon or rent an Airbnb.
But the system has been plagued with problems that have led to starvation in cases, and the illicit trade of citizen data on the underground market.
It’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system — or even hide it from the outside world. The site was easily found on a subdomain of the state government’s website, and it was indexed by Google, which cached copies of not only the site itself, but also its attendance record pages thatstill contain Aadhaar numbers in each worker’s photo.
TechCrunch asked Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, to take a look at the site. Robert has prior experience in revealing Aadhaar-related data leaks. Using less than a hundred lines of Python code, Robert demonstrated that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.
TechCrunch verified a small selection of Aadhaar numbers from the site using UIDAI’s own verification tool on its website. (We used a VPN in Bangalore as the page was unavailable in the U.S.). Each record came back as a positive match.
After confirming our findings, we reached out to both the Jharkhand government and UIDAI.
At the time of publication, neither had responded, but the website had been pulled offline.
The exposure may represent a fraction of the billion-plus users registered with Aadhaar, but uncovers yet another inadvertent disclosure of citizen data from a system that UIDAI claims is impenetrable. Instead of learning from mistakes and mishaps, UIDAI instead has shown a long history of rebuffing evidence of security incidents or breaches with mockery and declaring findings as “fake news,” by claiming to refute evidence without presenting any of its own.
The leak of Aadhaar numbers may not be seen as sensitive compared to leaked biometric data. Former attorney general Mukul Rohtagi once called a separate leak of Aadhaar numbers “much ado about nothing.” But it raises fears that obtaining and misusing someone’s number could lead to identity theft and fraud — which reportedly peaked last year.
Others have expressed concern that the system puts privacy at risk by recording information on a person’s life, which authorities can use to conduct surveillance on ordinary citizens.
But the exposure alone contradicts the Indian government’s claims that the Aadhaar system as a whole is secure.
In recent years, several security lapses involving data relating to Aadhaar have reignited fresh concerns about the centralized database — including several issues found by Robert. Last year, security researcher Karan Saini, a New Delhi-based security researcher, found a poorly secured web address used by state-owned utility company Indane that had direct access to the Aadhaar database, allowing him to query results from the system. UIDAI rubbished the reports, baselessly claiming that there was “no truth to this story” in a series of tweets from its official Twitter account, despite evidence to the contrary. In the same year, India’s Tribune newspaper reported that some were selling direct access to the Aadhaar database. UIDAI responded by filing a complaint against the reporter with police.
Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
India’s largest bank SBI leaked account data on millions of customers
One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.
Aadhaar card is one of the important documents when applying for a personal loan. If the data on the Aadhaar card is leaked, there could be a breach of identity. For instance, if you purchase a new SIM card with your Aadhaar number, you may not be able to tell if the card will be reused without your knowledge.
Massive Aadhaar Data Breach Exposes Personal Information of 81 Crore Indians on Dark Web. In a significant cybersecurity incident, a report from US-based cybersecurity firm Resecurity reveals a massive data breach exposing the personal information of approximately 81.5 crore Indians on the dark web.
Since its inception under the UPA government in 2009, initially as a voluntary exercise, Aadhaar has faced many challenges, from Opposition parties' attacks to petitions in the Supreme Court.
Aadhaar data leaks were also reported in 2018, 2019, and 2022, with three instances of large-scale leaks being reported, including one in which farmer's data stored on the PM Kisan website was made available on the dark web.
Can someone hack into my bank account if they get to know my Aadhaar number? Absolutely false. Just as by merely knowing your ATM card number, no one can withdraw money from the ATM machine; by knowing your Aadhaar number alone, no one can hack into your bank account and withdraw money.
You shouldn't produce your Aadhaar details to anyone and everyone. It is utmost important to know the reason why you have been asked to give your Aadhaar details. There are high chances of your Aadhaar number been misused.
The UIDAI was initially set up by the Government of India in January 2009, as an attached office under the aegis of the Planning Commission via a notification in the Gazette of India.
UIDAI also filed a case against The Tribune under Sections 419, 420, 468 and 471 of the Indian Penal Code (IPC) alleging false reporting. The WEF Global Risk Report deemed the Aadhar breach as the largest data breach in the world.
Aadhaar data breach of 815 million citizens, India
While threat actors declined to specify how they obtained the data - without which the source of the data leak is difficult to ascertain - threat actors claimed they had access to a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement agency”.
Aadhaar Card for NRIs and Foreigners. UIDAI now offers NRIs as well as other resident foreigners the option to avail an Aadhaar card. The article explains the step-by-step process for NRIs and other foreigners to enroll for an Aadhaar card in India, fees, validity and more.
A masked Aadhaar option lets you mask the first 8-digits of your Aadhaar number, while the other 4 digits will be visible. When you download this version of your Aadhaar, your photo, QR code, demographic information, and other details will still be present.
Aadhaar number is devoid of any intelligence and does not profile people based on caste, religion, income, health and geography. The Aadhaar number is a proof of identity, however, it does not confer any right of citizenship or domicile in respect of an Aadhaar number holder.
However, if your Aadhaar card information is leaked, it can be used against you. UIDAI helps in finding out where your Aadhaar card is being used. It's important to note that you can only use this approach if your phone number is linked to your Aadhaar card.
Yes, there have been several cases of criminals misusing Aadhaar cards. Aadhaar has been used to withdraw money by using the AePS. How can I know my Aadhaar number is misused? You can check the authentication history of your Aadhaar card to see if it has been misused.
In a massive data breach, details of over 81.5 crore citizens with the Indian Council of Medical Research (ICMR) are on sale on the dark web, which contains crucial information such as Aadhaar and passport details, along with names, phone numbers, and addresses, according to reports.
* When you lock your Aadhaar, it temporarily disables authentication using your Aadhaar number (UID) itself. This means entities cannot use your Aadhaar number to verify your identity for various services.
If you have lost or misplaced your Aadhaar card, it can be retrieved through various services by UIDAI. If you don't remember your Aadhaar enrolment ID (EID), you can make a request to UIDAI to send the details to the registered mobile number. You can also reapply for the Aadhaar card through the UIDAI portal.
Resident can lock his or her Aadhaar (UID) via UIDAI website (www.myaadhaar.uidai.gov.in) or through mAadhaar app. If resident wants to unlock UID he/she can do so by using latest VID, through UIDAI website or mAadhaar app. After unlocking Aadhaar (UID), resident can perform authentication using UID, UID Token & VID.
Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance
Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.