Despite regular updates, the system exposed the sensitive information of possibly over a billion citizens.
The personal information of users of India’s controversial national ID system, Aadhaar was leaked on more than 200 central and state government websites. Under Aadhaar system, each Indian citizen receives a unique 12-digit number.
The system also captures, collects and stores the biometric and personal information for the government. The system is very similar to the USA’s Social Security Numbers. The Unique Identification Authority of India (UIDAI) has said that some 210 websites for central and state governments were publically exposed.
The authority which is the issuing body behind Aadhaar confirmed this in response to a Right to Information (RTI) inquiry. It also said that the websites affected included educational institutions. Among the data exposed in the leak were names, addresses, and Aadhaar numbers.
The UIDAI has said the data has since been taken down. But, the organization refused to specify how or when the leak took place. It would also not confirm for long the data was exposed on these sites or exactly how many citizens were affected by the data leak. The breached websites were not identified either.
Residents make use of the Aadhaar cards as a proof of identity and address in any province or city throughout the country. The government of India previously made it compulsory for every Indian citizen have their Aadhaar ID to get access to various social welfare schemes and government services.
Residents have also been told by the government to link their Aadhaar cards to their bank accounts, insurance policies and mobile numbers. The government also advised Aadhaar links to PAN (Permanent Account Number) and other services. Currently, Aadhaar is the world’s largest biometric database.
It has already collected and stored the iris scans and fingerprints of over one a billion Indian citizens. But, many security experts have already voiced their concerns over the security and privacy of the system. This is considering that the system holds the sensitive and confidential details for billions of users.
In response to the RTI inquiry, the UIDAI has said that the system was well-designed. It also said that it was multi-layered and was equipped with a robust security system. Local press reported that the security of the system was constantly being updated. The agency has also said that it regularly conducted security audits to ensure the personal data of citizens were safe.
According to the organization, various policies and procedures were defined. These were also reviewed and updated continually. The aim of the continual updates was to ensure the organization was suitably controlling and monitoring any movement of people and material as well as data in and out of UIDAI locations, mainly the data centers. The UIDAI was approached for comment on the matter, at the time of publication no comment was received.