Security & Fraud

Thousands Of Indian Aadhaar Numbers Compromised In Breach

Thousands Of Indian Aadhaar Numbers Compromised In Breach

An Indian web system — used to mark attendance for government workers, which records names, photos and unique Aadhaar numbers — was easily compromised, and led to the access of private information for thousands of workers, reports showed. 

The system is for workers in the state of Jharkhand, and it hasn’t been password protected since 2014. The information of at least 166,000 workers was accessible.

The Aadhaar number — a sort of 12-digit confidential Social Security number — was accessible as a file name with the person’s photo. While not completely secret, Aadhaar numbers can be used to verify identities for citizens who want social services, or to do even more everyday tasks, like call an Uber or rent an Airbnb.

The Unique Identification Authority of India (UIDAI) is the regulatory agency responsible for protecting the data of India’s citizens. In addition, the Aadhaar system has reportedly been subject to problems involving starvation and data theft.

The UIDAI claims that the system is impenetrable, but French security researcher Robert Baptiste scraped the site using about 100 lines of Python code. The UIDAI, for its part, calls breaches “fake news,” and simply denies evidence of any weaknesses. The page with the breaches had been pulled offline.

There have been a number of security breaches involved with Aadhaar over the years. About a year ago, a New Delhi-based security researcher named Karan Saini discovered a web addressed used by a state-owned utility company that was so unsecured, it gave access to the Aadhaar database, and even allowed Saini to query results. The UIDAI denied the report on its official Twitter account.

In another incident, a newspaper in India reported that people were illicitly selling access to the Aadhaar database. Again, the UIDAI denied the reports, and went a step further by filing a complaint with the police against the reporter who wrote the story.

The existence of the database was ruled constitutional by India’s Supreme Court in September.



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.