An Indian web system — used to mark attendance for government workers, which records names, photos and unique Aadhaar numbers — was easily compromised, and led to the access of private information for thousands of workers, reports showed.
The system is for workers in the state of Jharkhand, and it hasn’t been password protected since 2014. The information of at least 166,000 workers was accessible.
The Aadhaar number — a sort of 12-digit confidential Social Security number — was accessible as a file name with the person’s photo. While not completely secret, Aadhaar numbers can be used to verify identities for citizens who want social services, or to do even more everyday tasks, like call an Uber or rent an Airbnb.
The Unique Identification Authority of India (UIDAI) is the regulatory agency responsible for protecting the data of India’s citizens. In addition, the Aadhaar system has reportedly been subject to problems involving starvation and data theft.
The UIDAI claims that the system is impenetrable, but French security researcher Robert Baptiste scraped the site using about 100 lines of Python code. The UIDAI, for its part, calls breaches “fake news,” and simply denies evidence of any weaknesses. The page with the breaches had been pulled offline.
There have been a number of security breaches involved with Aadhaar over the years. About a year ago, a New Delhi-based security researcher named Karan Saini discovered a web addressed used by a state-owned utility company that was so unsecured, it gave access to the Aadhaar database, and even allowed Saini to query results. The UIDAI denied the report on its official Twitter account.
In another incident, a newspaper in India reported that people were illicitly selling access to the Aadhaar database. Again, the UIDAI denied the reports, and went a step further by filing a complaint with the police against the reporter who wrote the story.
The existence of the database was ruled constitutional by India’s Supreme Court in September.