- Re 1 was deposited in his account through an Aadhaar-enabled app
- As a dare, RS Sharma had revealed his Aadhaar ID number on Twitter
- His mobile number was revealed by a French security expert
RS Sharma, the country's telecom regulator, has received Re 1 in his bank account, has fake accounts in his name on shopping portals and has had many of his details splashed on the public domain since he took the astonishing step of revealing his Aadhaar ID number on Twitter over a dare.
In an attempt to show down critics of the Aadhaar system, Mr Sharma put out his unique ID with a challenge to anyone who could "do any harm".
Over the past two days, the chairman of the Telecom Regulatory Authority of India (TRAI) has been trolled with publicly available information.
Ethical or white hat hackers, who claim to show vulnerabilities in public system not to do harm, but to have these systems improved, have tracked down 14 details from the Aadhaar ID, including Mr Sharma's phone number, address, WhatsApp profile photo, PAN card details, phone model, Air India frequent flyer ID and Voter ID number. But data behind firewalls, like bank transactions and biometric details, is still private.
The challenge and its fallout caused a flutter in parliament, where opposition parties have repeatedly raised questions about the security of citizen's data. "He must apologise to the country for making people insecure about their Aadhaar data," said Congress lawmaker Pratap Sigh Bajwa. Left leader D Raja demanded an investigation.
Mr Sharma's mobile number was revealed by a French security expert who goes under the pseudonym Elliot Alderson.
People managed to get your personal address, dob and your alternate phone number.- Elliot Alderson (@fs0c131y) July 28, 2018
I stop here, I hope you will understand why make your #Aadhaar number public is not a good idea pic.twitter.com/IVrReb4xIM
Mr Sharma is a former chief of the UIDAI, the body in charge of Aadhaar. He had posted the challenge in response to technology developer Kingsly John's tweet. He asked for one example. Respondents bombarded him with many.
But Mr Sharma, engaging with those who tweeted his details, wrote that there was "so far no success" to his challenge as much of what was being posted is already in the public domain.
Someone deposited Re 1 in his account through an Aadhaar-enabled app.
One user claimed to make a fake Aadhaar ID that was accepted by Facebook and Amazon Cloud. But here the risk is mainly identity theft.
Sorry for this Sir, But this is only for educational purpose.- Rahul Dhiman (@enggdhiman) July 29, 2018
I made a FAKE aadhar of yours and uploaded to Facebook and Amazon Cloud Services, And what both of them accepted this as a proof of identity. I may use Amazon Services and Facebook ads service on your name now. pic.twitter.com/pOP4heBNFJ
On Sunday, the Aadhaar authority or UIDAI (Unique Identification Authority of India) put out a statement insisting that the Aadhaar database "is totally safe" and the "hacked information" was already available in the public domain because Mr Sharma has been in the public service for decades and is easily available on Google and various other sites by a simple search without the Aadhaar number.
Cyber experts say even if Aadhaar database is safe, the number can be used to access personal data from other databases.
The episode comes at a time a panel headed by Justice BN Srikrishna has submitted a report on data protection recommending that the Aadhaar Act be amended "significantly" to bolster privacy safeguards. The report suggests that only public authorities approved by the UIDAI or entities mandated by law be given the right to request identity authentication.