Hacking hands
Aadhaar, the world's largest biometric database, has reportedly been breached iStock

India's controversial national ID database Aadhaar, that contains key personal information of nearly 1.2 billion people, was reportedly breached.

Under the country's Aadhaar system, every Indian citizen receives a unique 12-digit number much like a Social Security Number in the US. They also have their biometric and personally identifiable information collected and stored by the government.

The Tribune, a local Indian newspaper, claimed that its reporters were able to purchase access to users' details via an "agent" who went by the name Anil Kumar on WhatsApp for just Rs 500 (£6, $8). Once paid, the "agent" then gave the reporters a username and password that allowed them to enter any Aadhaar number into the UIDAI website and gain access to the personal information of nearly 1.2 billion citizens enrolled in the government database.

For another Rs 300, they were provided with "software" that allowed them to print any Aadhaar card for which they had the number.

Currently the world's largest biometric database in the world, Aadhaar contains the iris scans, fingerprints and personal information such as names, physical and email addresses, and photos of over 1 billion Indian citizens.

The Indian government has made it mandatory for every citizen to get their Aadhaar ID to gain access to welfare schemes. Over the past few months, the government has also made it compulsory to link it to bank accounts, mobile numbers, insurance policies, PAN (Permanent Account Number) and other services.

The system, though, has garnered fierce backlash from critics over privacy, security and possible mass surveillance concerns.

In another report, The Quint reported that the Aadhaar database was vulnerable as anyone can create an administrator account and access the system as long as they are invited by someone who is already an administrator.

However, The Tribune's report has already been dismissed as "fake news" by Indian Prime Minister Narendra Modi's Bharatiya Janata Party (BJP).

The Aadhaar-issuing body Unique Identification Authority of India (UIDAI) has denied the report in a statement, saying, "Aadhaar data, including biometric information, is fully safe and secure."

It also claimed that The Tribune misused a database search mechanism that is only available to government officials and is pursuing legal action against those who "misused" the system.

"Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded," UIDAI said. "Aadhaar data is fully safe and secure and has robust, uncompromised security. The UIDAI Data Centres are infrastructure of critical importance and [are] protected accordingly with high technology conforming to the best standards of security and also by legal provisions."

BuzzFeed News managed to track down the person who went by the pseudonym "Anil Kumar". The person said he had provided access to the Aadhaar database to seven other people besides the Tribune reporter for Rs 500 each. However, he said he was not aware that he was violating people's privacy when he did so.

"I paid Rs 6,000 to an anonymous person in a WhatsApp group I was a part of to create a username and password to the Aadhaar database for myself," he told BuzzFeed News. "I was told that I could then create as many usernames and passwords to access the database as I wanted. I sold each of them to make my Rs 6,000 back."

News of the alleged leak has already triggered massive criticism despite the government's insistence that the data was safe and secure.

Whistleblower Edward Snowden, who famously leaked thousands of classified documents revealing the extent of mass surveillance programmes in the US and UK, also weighed in on India's Aadhaar system.

"It is the natural tendency of government to desire perfect records of private lives. History shows that no matter the laws, the result is abuse," Snowden tweeted.

This isn't the first time Aadhaar data has been exposed and rehashed serious concerns over its security.

In November 2017, more than 200 central and state government websites accidentally exposed the personal details of some Aadhaar users. UIDAI said at the time that the information had been inadvertently published by other government departments and had been immediately taken down.

"The Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI," the agency had said at the time.

IBTimes UK has reached out to UIDAI for further comment on the latest incident and is awaiting a response.