Aadhar Biometric Data Reportedly Compromised For Rs. 500 Over WhatsApp

Aadhar, the unique identification number allotted and maintained by the Unique Identification Authority of India (UIDAI) was started in 2009 and is the largest database of privacy information including biometrics that include fingerprints, and iris scans of billions of Indians. The database also includes pictures, addresses and private information of all the individuals registered on the database.

It is estimated that over 1.2 Billion people have already resisted for the Aadhar number, however, it has not been without problems. Initially there was political push back for the Unique ID system which was intended to allow Indian residents easy access to social programs for healthcare, education, and general welfare. However the program received a major push under Prime Minister Narender Modi and BJP’s political reign in the Center since 2014.

130 Million records of the Aadhar number were reportedly breached in Q1 of 2017, while UIDAI had claimed that they had rectified the breach, the data of this leak was already out on the Internet, available as access records for the millions of accounts.

A journalist at the Tribune Newspaper, claims to have bought access to a User Name and Password that allowed him unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far. More importantly, this was provided in less than 10 minutes over a WhatsApp chat, after a PayTM transfer of a mere Rs. 500.

Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.

Interestingly the Tribune team claims to have paid another Rs 300, for which this remote agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Claiming more damage, the Tribune , which started investigation into this matter reveals that the racket has been ongoing for over six months and over 1 lakh illegal users have had access to this database for a lowly price of a mere Rs. 500 / US $ 8 (approx). The WhatsApp groups gained access to the records thanks to being able to tap into over 3 lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology, who were willing to part with their access for a small payout.

Even though, the VLE were rendered Idle in November of 2016 while their jobs were removed, they continued to have access to the large databases available on their access systems. The Tribune further claims that the hackers seemed to have gained access to the website of the Government of Rajasthan, as the “software” provided access to “aadhaar.rajasthan.gov.in”, through which one could access and print Aadhaar cards of any Indian citizen.

With the Government, Banks and Telecom Providers harassing individuals to link their Aadhar numbers with their accounts and services, the breach of privacy is unprecedented. The case against the invasion and lack of security around the right to privacy of Indians is already pending in the Supreme Court of India with a hearing expected in Feb 2018.

Here is the Full Chat between the journalist and agent below.

• 12:30 pm: This correspondent posing as ‘Anamika’ contacted a person on WhatsApp number 7610063464, who introduced himself as ‘Anil Kumar’. He was asked to create an access portal.
• 12:32pm: Kumar asked for a name, email ID and mobile number, and also asked for Rs 500 to be credited in his Paytm No. 7610063464.
• 12:35 pm: This correspondent created an email ID, [email protected], and sent mobile number ******5852 to the anonymous agent.
• 12:48 pm: Rs 500 transferred through Paytm.
• 12:49 pm: This correspondent received an email saying, “You have been enrolled as Enrolment Agency Administrator for ‘CSC SPV’. Your Enrolment Agency Administrator ID is ‘Anamika_6677’.” Also, it was said that a password would be sent in a separate mail, which followed shortly.
• 12:50 pm: This correspondent had access to the Aadhaar details of every Indian citizen registered with the UIDAI.

The UIDAI has responded to The Tribune’s  story by claiming it to be “misreporting” and baseless, however, the publication has responded with concrete facts on the matter which can be read here.

Th BJP has also responded in a manner which seems to mimic a certain leader of the free world. Their tweet can be found below.