Indian state government leaks thousands of Aadhaar numbers | TechCrunch (2024)

A lapse in security has led to the leaking of more than 100,000 Aadhaar numbers, TechCrunch can reveal.

One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.

But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.

The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data.

Aadhaar numbers aren’t strictly secret, but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy somethingon Amazon or rent an Airbnb.

But the system has been plagued with problems that have led to starvation in cases, and the illicit trade of citizen data on the underground market.

It’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system — or even hide it from the outside world. The site was easily found on a subdomain of the state government’s website, and it was indexed by Google, which cached copies of not only the site itself, but also its attendance record pages thatstill contain Aadhaar numbers in each worker’s photo.

TechCrunch asked Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, to take a look at the site. Robert has prior experience in revealing Aadhaar-related data leaks. Using less than a hundred lines of Python code, Robert demonstrated that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.

TechCrunch verified a small selection of Aadhaar numbers from the site using UIDAI’s own verification tool on its website. (We used a VPN in Bangalore as the page was unavailable in the U.S.). Each record came back as a positive match.

After confirming our findings, we reached out to both the Jharkhand government and UIDAI.

Indian state government leaks thousands of Aadhaar numbers | TechCrunch (1)

At the time of publication, neither had responded, but the website had been pulled offline.

The exposure may represent a fraction of the billion-plus users registered with Aadhaar, but uncovers yet another inadvertent disclosure of citizen data from a system that UIDAI claims is impenetrable. Instead of learning from mistakes and mishaps, UIDAI instead has shown a long history of rebuffing evidence of security incidents or breaches with mockery and declaring findings as “fake news,” by claiming to refute evidence without presenting any of its own.

The leak of Aadhaar numbers may not be seen as sensitive compared to leaked biometric data. Former attorney general Mukul Rohtagi once called a separate leak of Aadhaar numbers “much ado about nothing.” But it raises fears that obtaining and misusing someone’s number could lead to identity theft and fraud — which reportedly peaked last year.

Others have expressed concern that the system puts privacy at risk by recording information on a person’s life, which authorities can use to conduct surveillance on ordinary citizens.

But the exposure alone contradicts the Indian government’s claims that the Aadhaar system as a whole is secure.

In recent years, several security lapses involving data relating to Aadhaar have reignited fresh concerns about the centralized database — including several issues found by Robert. Last year, security researcher Karan Saini, a New Delhi-based security researcher, found a poorly secured web address used by state-owned utility company Indane that had direct access to the Aadhaar database, allowing him to query results from the system. UIDAI rubbished the reports, baselessly claiming that there was “no truth to this story” in a series of tweets from its official Twitter account, despite evidence to the contrary. In the same year, India’s Tribune newspaper reported that some were selling direct access to the Aadhaar database. UIDAI responded by filing a complaint against the reporter with police.

Despite the security concerns, India’s Supreme Court ruled the database constitutional in September after a long-running court battle.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

India’s largest bank SBI leaked account data on millions of customers

Indian state government leaks thousands of Aadhaar numbers | TechCrunch (2024)

FAQs

Indian state government leaks thousands of Aadhaar numbers | TechCrunch? ›

One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.

What happens if Aadhaar number is leaked? ›

Aadhaar card is one of the important documents when applying for a personal loan. If the data on the Aadhaar card is leaked, there could be a breach of identity. For instance, if you purchase a new SIM card with your Aadhaar number, you may not be able to tell if the card will be reused without your knowledge.

What is the Aadhaar leak in India? ›

Massive Aadhaar Data Breach Exposes Personal Information of 81 Crore Indians on Dark Web. In a significant cybersecurity incident, a report from US-based cybersecurity firm Resecurity reveals a massive data breach exposing the personal information of approximately 81.5 crore Indians on the dark web.

Which govt brought Aadhar card in India? ›

Since its inception under the UPA government in 2009, initially as a voluntary exercise, Aadhaar has faced many challenges, from Opposition parties' attacks to petitions in the Supreme Court.

When was Aadhar hacked? ›

Aadhaar data leaks were also reported in 2018, 2019, and 2022, with three instances of large-scale leaks being reported, including one in which farmer's data stored on the PM Kisan website was made available on the dark web.

Can someone hack a bank account with an Aadhaar number? ›

Can someone hack into my bank account if they get to know my Aadhaar number? Absolutely false. Just as by merely knowing your ATM card number, no one can withdraw money from the ATM machine; by knowing your Aadhaar number alone, no one can hack into your bank account and withdraw money.

Should I give my Aadhaar number to anyone? ›

You shouldn't produce your Aadhaar details to anyone and everyone. It is utmost important to know the reason why you have been asked to give your Aadhaar details. There are high chances of your Aadhaar number been misused.

Who is the owner of Aadhar? ›

The UIDAI was initially set up by the Government of India in January 2009, as an attached office under the aegis of the Planning Commission via a notification in the Gazette of India.

What is the biggest data theft in India history? ›

UIDAI also filed a case against The Tribune under Sections 419, 420, 468 and 471 of the Indian Penal Code (IPC) alleging false reporting. The WEF Global Risk Report deemed the Aadhar breach as the largest data breach in the world.

What is the biggest data leak in India? ›

Aadhaar data breach of 815 million citizens, India

While threat actors declined to specify how they obtained the data - without which the source of the data leak is difficult to ascertain - threat actors claimed they had access to a 1.8 terabyte data leak impacting an unnamed “India internal law enforcement agency”.

Can US citizens get an Aadhaar card? ›

Aadhaar Card for NRIs and Foreigners. UIDAI now offers NRIs as well as other resident foreigners the option to avail an Aadhaar card. The article explains the step-by-step process for NRIs and other foreigners to enroll for an Aadhaar card in India, fees, validity and more.

What is masked Aadhaar? ›

A masked Aadhaar option lets you mask the first 8-digits of your Aadhaar number, while the other 4 digits will be visible. When you download this version of your Aadhaar, your photo, QR code, demographic information, and other details will still be present.

Is Aadhaar a proof of citizenship? ›

Biometric information

Aadhaar number is devoid of any intelligence and does not profile people based on caste, religion, income, health and geography. The Aadhaar number is a proof of identity, however, it does not confer any right of citizenship or domicile in respect of an Aadhaar number holder.

What if my Aadhaar number is leaked? ›

However, if your Aadhaar card information is leaked, it can be used against you. UIDAI helps in finding out where your Aadhaar card is being used. It's important to note that you can only use this approach if your phone number is linked to your Aadhaar card.

Can someone misuse my Aadhar number? ›

Yes, there have been several cases of criminals misusing Aadhaar cards. Aadhaar has been used to withdraw money by using the AePS. How can I know my Aadhaar number is misused? You can check the authentication history of your Aadhaar card to see if it has been misused.

Is 82 crore Indian data leak? ›

In a massive data breach, details of over 81.5 crore citizens with the Indian Council of Medical Research (ICMR) are on sale on the dark web, which contains crucial information such as Aadhaar and passport details, along with names, phone numbers, and addresses, according to reports.

Can someone withdraw money with my Aadhaar card? ›

Just by knowing your Aadhaar number or Aadhaar linked bank account, no one can withdraw money from Aadhaar linked bank account.

What will happen if I lock my Aadhaar card? ›

* When you lock your Aadhaar, it temporarily disables authentication using your Aadhaar number (UID) itself. This means entities cannot use your Aadhaar number to verify your identity for various services.

What happens if my Aadhaar card is stolen? ›

If you have lost or misplaced your Aadhaar card, it can be retrieved through various services by UIDAI. If you don't remember your Aadhaar enrolment ID (EID), you can make a request to UIDAI to send the details to the registered mobile number. You can also reapply for the Aadhaar card through the UIDAI portal.

How can I lock my Aadhaar card number to prevent misuse? ›

Resident can lock his or her Aadhaar (UID) via UIDAI website (www.myaadhaar.uidai.gov.in) or through mAadhaar app. If resident wants to unlock UID he/she can do so by using latest VID, through UIDAI website or mAadhaar app. After unlocking Aadhaar (UID), resident can perform authentication using UID, UID Token & VID.

Top Articles
SQL Server PIVOT clause with Examples- SQL Server Tutorial
How to Pivot in SQL: Mastering Data Transformation Techniques - SQL Knowledge Center
Hometown Pizza Sheridan Menu
Craigslist Myrtle Beach Motorcycles For Sale By Owner
Dunhams Treestands
Www.fresno.courts.ca.gov
Chase Bank Operating Hours
St Als Elm Clinic
Top Golf 3000 Clubs
Tiraj Bòlèt Florida Soir
ATV Blue Book - Values & Used Prices
Craigslist Alabama Montgomery
Housework 2 Jab
Springfield Mo Craiglist
Csi Tv Series Wiki
Labby Memorial Funeral Homes Leesville Obituaries
We Discovered the Best Snow Cone Makers for Carnival-Worthy Desserts
Cvs El Salido
Weather Underground Durham
Rugged Gentleman Barber Shop Martinsburg Wv
Dtlr On 87Th Cottage Grove
Warn Notice Va
Syracuse Jr High Home Page
Rlcraft Toolbelt
Bt33Nhn
Sitting Human Silhouette Demonologist
Morlan Chevrolet Sikeston
Edward Walk In Clinic Plainfield Il
How to Watch the X Trilogy Starring Mia Goth in Chronological Order
Reborn Rich Ep 12 Eng Sub
Domina Scarlett Ct
Tds Wifi Outage
Bella Thorne Bikini Uncensored
Evil Dead Rise (2023) | Film, Trailer, Kritik
Bianca Belair: Age, Husband, Height & More To Know
This 85-year-old mom co-signed her daughter's student loan years ago. Now she fears the lender may take her house
Wilson Tattoo Shops
Fool's Paradise Showtimes Near Roxy Stadium 14
Nami Op.gg
Dickdrainersx Jessica Marie
Juiced Banned Ad
Silicone Spray Advance Auto
Gli italiani buttano sempre più cibo, quasi 7 etti a settimana (a testa)
Tom Kha Gai Soup Near Me
Hawkview Retreat Pa Cost
Paperlessemployee/Dollartree
Jane Powell, MGM musical star of 'Seven Brides for Seven Brothers,' 'Royal Wedding,' dead at 92
Oefenpakket & Hoorcolleges Diagnostiek | WorldSupporter
Kushfly Promo Code
Lightfoot 247
Morbid Ash And Annie Drew
683 Job Calls
Latest Posts
Article information

Author: Amb. Frankie Simonis

Last Updated:

Views: 6494

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Amb. Frankie Simonis

Birthday: 1998-02-19

Address: 64841 Delmar Isle, North Wiley, OR 74073

Phone: +17844167847676

Job: Forward IT Agent

Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance

Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.