A few hours after the Unique Identification Authority of India on Thursday denied a report by The Tribune that highlighted a massive breach in Aadhaar security, the newspaper responded with a fact check, arguing that the UIDAI's claim that “there has not been any data breach flies in the face of that".
Terming it as a case of "misreporting" , the UIDAI had assured that there has not been any data breach. "The Aadhaar data, including biometric information, are fully safe and secure," it said.
The UIDAI, however, said the reported case could be "an instance of misuse of the grievance redressal search facility" and appropriate action would be taken against the person by tracing them.
The investigative report titled "Rs 500, 10 minutes, and you have access to billion Aadhaar details"by The Tribune newspaper had revealed that details of Aadhaar is easily accessible, that too just by paying Rs 500.
According to the newspaper, its reporter purchased a service by anonymous sellers on WhatsApp and paid Rs 500 via Paytm to an agent of the group running a racket. The agent then created a “gateway” for the reporter and gave a login ID and password, thus giving unrestricted access to details, including name, address, postal code (PIN), photo, phone number and email, of more than 1 billion Aadhaar numbers submitted to the UIDAI (Unique Identification Authority of India), the Aadhaar issuing body.
Not only this, the newspaper team paid another Rs 300, for which the agent provided “software” that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.
Denying the allegation, the UIDAI statement said that it has "given the said search facility for the purpose of grievance redressal to the designated personnel and state government officials to help residents only by entering their Aadhaar number/EID".
"UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken. The reported case appears to be instance of misuse of the grievance redressal search facility. As UIDAI maintains complete log and traceability of the facility, the legal action including lodging of FIR against the persons involved in the instant case is being done," said the statement.
In the "fact-check" report, The Tribune argued that "the UIDAI has admitted that a facility on their website has been 'misused'. The fact is that it has been ‘misused’ to steal data — personal information such as name, date of birth, address, PIN, photo, phone number, e-mail — at will, for any Aadhaar number. Its second claim in this para that they are able to track all those who access the data only suggests that they will now be able to nab the people involved in the racket. But that does not change the fact that a large number of people have been accessing the data in an unauthorised manner probably for months, and theft has already taken place. Also, the tracking system obviously never realised that unauthorised people were accessing the data. And if FIRs are being contemplated, is that not an admission of something being amiss?"
The authority had further said: "UIDAI reiterates that the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details. UIDAI reassures that there has not been any data breach of biometric database, which remains fully safe and secure, with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics."
To this, the newspaper counters: "This renders meaningless its claim of November 20, 2016, that 'Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI'. It had at that time asked 210 websites of Central and state governments that had mistakenly displayed personal details of Aadhaar number holders on various websites to remove the information from public domain. It may be noted that phishing scams use precisely such information on people to try and crack their passwords for net-banking or credit cards."
The 12-digit unique identification number is not a secret number. It is to be shared with authorized agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare scheme/s or other services, the UIDAI said in the statement.
It also assured that a person's biometrics' information doesn't get leaked merely by sharing the digits. "Mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required."
The Tribune, however, argued saying: "The sharing of Aadhaar numbers with 'authorised agencies' is indeed safe, but what has been revealed in the story is that unauthorised persons have gained access to people’s personal information. The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards. That is a partial breach of the biometric data too, even if biometric data was not downloaded."