Aadhaar Body Talks Legal Action Against Report That Claimed New Data Leak

New Delhi: India's flagship biometric ID programme, Aadhaar, has been hit by another major security lapse, allowing access to private information, business technology news website ZDNet reported on Saturday. But the UIDAI, the body that runs the Aadhaar programme, denied the charge and threatened legal action against the website.

A data leak on a system run by a state-owned utility company can allow access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details, ZDNet report said, according to news agency Reuters.

Even though the security lapse had been flagged to some government agencies over a period of time, it has yet to be fixed, ZDNet said, adding that it was withholding the name of the utility and other details.

Karan Saini, a New Delhi-based security researcher, said that anyone with an Aadhaar number was affected.

"This is a security lapse. You don't have to be a consumer to access these details. You just need the Uniform Resource Locator where the Application Programming Interface is located. These can be found in less than 20 minutes," Mr Saini told Reuters.

"Absolutely no breach of UIDAI's Aadhaar database" and the authority was contemplating legal action to hold them accountable for "such false and irresponsible reporting," said Unique Identification Authority of India (UIDAI), which runs the Aadhaar programme.

The ZDNet story, the statement said, seems to claim that the database of a state utility company containing its customer details such as bank account numbers, consumer number, Aadhaar number (not the biometrics), had some vulnerability which makes the data accessible to outsiders through some tools.

"Even if this claim is taken as true, it would raise security concerns on database of that utility company and has nothing to do with security of UIDAI's Aadhaar database. If one goes by the logic of ZDNet's story,  since the utility company's database also had bank account numbers of  its customers, so would that mean that all Indian banks' databases have been breached? The answer would obviously be in negative," the statement said.

Besides, the UIDAI said Aadhaar number alone, though personal sensitive information, is not a secret number.

"Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any  transaction, a successful authentication through fingerprint, Iris or OTP of  the Aadhaar holder is required," the body said.

Aadhaar, the world's biggest database, has been facing increased scrutiny over privacy concerns following several instances of breaches and misuse.

Last Thursday, the CEO of the UIDAI said the biometric data attached to each Aadhaar was safe from hacking as the storage facility was not connected to the internet.

"Each Aadhaar biometric is encrypted by a 2048-key combination and to decode it, the best and fastest computer of our era will take the age of the universe just to hack into one card's biometric details," Ajay Bhushan Pandey said..