Indian agency denies reported security lapse in ID card project

NEW DELHI: The semi-government agency behind India’s national identity card project on Saturday denied a report by news website ZDNet that the program has been hit by another security lapse that allows access to private information.
ZDNet reported that a data leak on a system run by a state-owned utility company, which it did not name, could allow access to private information of holders of the biometric “Aadhaar” ID cards, exposing their names, their unique 12-digit identity numbers, and their bank details.
But the Unique Identification Authority of India (UIDAI), which runs the Aadhaar program, said “there is no truth in this story” and that they were “contemplating legal action against ZDNet.”
“There has been absolutely no breach of UIDAI’s Aadhaar database. Aadhaar remains safe and secure,” the agency said in a statement late on Saturday.
“Even if the claim purported in the story were taken as true, it would raise security concerns on database of that utility company and has nothing to do with the security of UIDAI’s Aadhaar database,” it said.
Earlier, experts warned on Saturday that India risks a national security disaster unless the country’s identity database is made more secure.
The security analysts were commenting in the wake of a claim made by ZDNet that there was a new leak in the Aadhaar database, which stores the identity and biometric details of more than a billion citizens.
In a report late on Friday night, technology news website ZDNet claimed there was a data leak on a system run by a state-owned utility company.
ZDNet did not name the utility, but in a detailed explanation of the flaw said the leak allowed anyone to download private information on all Aadhaar holders. That includes names, unique 12-digit identity numbers, and information about services, such as the bank accounts and utilities.
All companies require Aadhaar to first match the account holder with the names in the Aadhaar database through an API to verify identity.
According to the ZDNet report, the utility failed to secure the API. Based on this, the report claimed that it was possible to retrieve private data on each Aadhaar holder, regardless of whether they are a customer of the utility provider or not, it said.
“There is a flaw in the system and the first step has been breached,” said Tarun Wig, co-founder Innefu Labs, a security services company in Delhi.
Any agency that deals with Aadhaar, including service providers such as mobile phone companies, has an API so it can match the customer’s identity with the database, Wig said.
“There is no way you can protect that first step since there’s no way to stop companies from storing the information,” he said. “What you can protect is the information associated with the number that you’re giving to external agencies.”
Banks should only know the Aadhaar number of their registered accounts and, similarly, mobile phone companies should know only the Aadhaar number of their users and not have access to their biometrics, Wig said.
He said another way to secure the system is to not let any companies hit the Aadhaar database directly — as is the case now. The browser-based API should be moved to the client’s server, he advised.
“The government has come too far to go back on Aadhaar,” said Wig. “And its benefits outweigh the cons, so now the focus should be to remove the vulnerabilities and make it more secure.”
In January, India’s Tribune newspaper reported that for 500 rupees it had bought unrestricted access to the entire Aadhaar database from anonymous sellers on the messaging app Whatsapp.
For an extra 300 rupees, it could get a software to print Aadhaar cards.
The government has maintained that the Aadhaar database is completely secure.
Aadhaar, or the unique identity number, was introduced by India’s previous UPA-led government. Initially, the idea was that all accounts that receive government subsidies should be linked with their unique identity number, a step toward plugging leaks in the system and ensuring that the subsidies went to the correct beneficiaries.
However, the current Narendra Modi-led government decided to extend that idea to all sectors — as a result, every service provider from mobile phones to bank accounts and e-wallets required consumers to link their respective accounts to Aadhaar.
That exercise is on hold while India’s top court decides on its legality.