India’s National ID Database of 1.2 Billion People Breached for $8

Hacker Goes beyond Biometric Ways

An Indian news publication has reported that the government’s biggest citizen database, a register that holds the data of nearly 1.2 billion people, can be compromised for as little as $8.

Local Indian newspaper The Tribune has, in a published report, claimed one of its reporters paid approximately $8 to an individual with the pseudonym Anil Kumar to get in access to Aadhaar, the centralized database operated by the government. After getting in touch with Kumar over social messaging platform Whatsapp, the individual was able to create a username and password that essentially gave access to the demographic information of some 1.2 billion Indians currently enrolled in Aadhaar. Credentials could be ascertained by simply entering an individual’s 12-digit Aadhaar number.

Officials at the Unique Identification Authority of India (UIDAI), the government agency tasked to operate Aadhaar, described the intrusion as a “major national security breach” that was highly “illegal”.

“We have been warning for a while about the single access problem with the design of the [Aadhaar server],” said Meghnad S, a vehement Aadhaar critic.

A separate report by Indian news publication Quint revealed that any person would be able to create an administrator account allowing them access to the Aadhaar database, as long as they’re invited by an existing administrator.

“The government in India will need to assess how much data was accessed by unauthorized parties, who was responsible, and now what actions should be taken to protect impacted parties,” security researcher Troy Hunt toold BuzzFeed.

For its part, India’s ruling government dismissed the reports as “fake news”, stating that the “Aadhaar data including biometric information is fully safe and secure”. Journalists accessing the database had “misused” their credentials otherwise only available to government officials, read a statement from the UIDAI.

Image credit: LIFARS archives.