Irresponsible information security practices by a major central government ministry and a state government, may have exposed up to 135 million Aadhaar numbers, according to a new research report released on Monday.
Thenew report,Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar numbers with sensitive personal financial information: studied four government databases.
The first two belong to the rural development ministry—the National Social Assistance Programme (NSAP)’s dashboard and the National Rural Employment Guarantee Act’s (NREGA) portal.
The second two databases deal with the state of Andhra Pradesh: namely, the state government’s own NREGA portal and the online dashboard of a state government scheme called “Chandranna Bima”.
“Based on the numbers available on the websites looked at, the estimated number of Aadhaar numbers leaked through these 4 portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report’s authors, Amber Sinha and Srinivas Kodali, state.
The report claims these government dashboards and databases revealed personally identifiable information (PII) due to a lack of proper controls exercised by the departments.
“While the availability of aggregate information on the Dashboard may play a role in making government functioning more transparent, the fact that granular details about individuals including sensitive PII such as Aadhaar number, caste, religion, address, photographs and financial information are only a few clicks away suggest how poorly conceived these initiatives are,” the report says.
The report said the portal lists 94,32,605 bank accounts and 14,98,919 post office accounts linked with Aadhaar.
“While the UIDAI (Unique Identification Authority of India) has been involved in proactively pushing for other databases to get seeded with Aadhaar numbers, they take little responsibility in ensuring the security and privacy of such data, .With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief,” said the report.