India's controversial national ID system, Aadhaar, has been leaking citizens' sensitive and personal information over the last few months. Under the Aadhaar system, which took effect in 2009, every Indian's biometric and personally identifiable information (PII) was collected and stored by the government. Residents were provided a unique 12 digit number that was similar to the US' social security numbers. A recent report by an Indian think tank revealed that over 130 million Aadhaar numbers have been publicly leaked.
The report said that the leaks were not caused by security breaches or weak security practices. Instead the custodians of the Aadhaar data wilfully and intentionally made the data publicly available. "These are cases where the data in question has not been treated as confidential at all, and the government agencies in question have, in fact, taken pains to publish them," wrote Amber Sinha and Srinivas Kodali of the Bangalore-based think tank, the Centre for Internet and Society.
"Rather than leaks or security breaches, these are wilful and intentional instances of treating Aadhaar Numbers and other PII as publicly shareable data by the custodians of the data," the report added.
The report also cautioned that while some of the previously leaked data has been "masked," the threat of potential cyberattacks and further leaks remains. The report said, "While some of data has been masked, it does not mean that government agencies have purged the data, which leaves it open to both cyberattacks, and any potential leakages of data those with access to it."
4 India government websites leaking data
According to the report, four specific government websites have been leaking data. Two websites for the Indian government's rural development ministry - the National Social Assistance Programme (NSAP)'s dashboard and the National Rural Employment Guarantee Act (NREGA)'s portal – while the other two sites are run by the state of Andhra Pradesh, the state government's own NREGA portal and the online dashboard of a state government scheme called "Chandranna Bima."
The report said that the "estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank accounts numbers leaked at around 100 million." The report also warned that while these numbers only come from the government's pensions and rural development programs, other such schemes that also use Aadhaar could also have leaked ever more data.
The data leaks were caused in part, from the Indian government's decision to provide online dashboards that make downloading information simple, likely in efforts to boost transparency. However, the report warns that without appropriate security measures, this could lead to disastrous results.
"While availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are," the report warned
Data leaked can be used by criminals
Given the sensitive nature of the leaked data, the report indicates that criminals could use it to perpetuate identity frauds and other kinds of cybercrime. The report said that there have been several cases of citizens' biometric data collected for Aadhaar authentication stolen by employees of service providers. Over 34,000 operators have already been blacklisted by the Indian government for orchestrating the creation of fake Aadhaar numbers.
"While the UIDAI has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data, the report states. "With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief."
IBTimes UK has reached out to the Centre for Internet and Society for further clarity on what kind of impact the leaks could have on Indian citizens and will update this article in the event of a response.