Government website in India disclosed sensitive personal data of citizens including Aadhaar number
According to Indian media Medianama, security researcher Srinivas Kodali reported a data breach on Monday, affecting a government website in Andhra Pradesh, India. Due to the sensitivity of the leak, Kodali decided not to publish the name of the site for the time being until the data was protected.
According to Kodali’s description, the leaked data includes Aadhaar number, bank branch, IFSC code and account number, name, address, ID card number, mobile phone number, distribution card number, occupation, religion and caste information.
The website which was leaking all the sensitive information today was of Andhra Pradesh State Housing Corporation. Here are two images with details one showing last four digits of #Aadhaar after fix & other masked by me showing first two. Around 1,34,193 Aadhaar numbers leaked pic.twitter.com/pr2RwO3C5f
— Srinivas Kodali (@digitaldutta) April 24, 2018
Although the Indian government and UIDAI (the only identity verification center in India) once argued in the Supreme Court that the Aadhaar card alone does not contain all personal information of Indian citizens. But in India, Aadhaar number is associated with other personal information is an indisputable fact. From the screenshots provided by Kodali, we can clearly see sensitive personal information about religion, caste, and address. Although the Indian government claimed that it did not have the ability to use Aadhaar in this way, the practical application of this use refuted their claim.
Through the screenshots provided by Kodali, we can also see that the site stores a large amount of data related to personal information. The tools provided by it allow searches by entering keywords and list all relevant information in the results returned list.
Kodali emphasized that having the ability to generate such lists means that the leak is not “minor” and that this information can be used to lock a single individual. In addition, this database is publicly available and allows anyone to access without authorization.
MediaNama spoke with Kodali and said that there is still no way to report the leak to the government and UIDAI. After he posted a message about data breaches, someone blocked Aadhaar data from the database. However, all remaining data is still publicly accessible.
MediaNama accuses the Indian government in its report of not taking data security seriously and refuses to respond to leak reports, and even denies and persecutes security researchers who report leaks. Needless to say, the criminals who obtain such information need not do a report to them, but use this information instead. If the Indian government still maintains this attitude, the privacy of Indian citizens will continue to suffer.
In addition, due to the connection of Aadhaar to various data sets, the risk of data leakage is even greater. This allows criminals to match Aadhaar data by crossing irrelevant datasets and collate them into data sets comparable to “profiles.”
The Indian government website must immediately stop storing Aadhaar numbers and other sensitive personal information to prevent the risk of these data aggregation. In addition, the Indian government needs to ensure that the database used to collect personal information is protected as necessary.
