Government agencies in India leaked a massive number of online identity related information from the world’s largest biometric identification system: Aadhaar. Aadhaar, described by a World Bank Economist as “the most sophisticated ID programme in world,” functions as a form of ID for citizens. The eight-year-old system also handles payment verification and inherently holds millions of personal records, both financial and personal.
According to a report from the Centre for Internet and Society, the government indirectly leaked millions of both personal and financial records. The Unique Identification Authority of India, a regulatory establishment responsible for Aadhaar application and authentication, pushed for the adoption of Aadhaar numbers by banks and other financial institutions. The numbers resemble the US’s Social Security numbers, to an extent. But the lack of regulation and oversight associated with Aadhaar numbers contributed to the issue at hand.
The India Centre for Internet and Society wrote in their report that they found the leaks while researching government entities that likely stored financial information. During the study researchers found four government agencies with easily accessible databases of personal information and Aadhaar numbers.
In the CIS Report: “Information Security Practices of Aadhaar (or lack thereof): A documentation of public availability of Aadhaar Numbers with sensitive personal financial information,” researchers focused on the data where Aadhaar information was connected to financial or payment data. They selected government structures that used “Aadhaar for payments and banking transactions.” As the title of the documentation suggested, their findings only furthered the controversy surrounding the Aadhaar system.
Aadhaar cards, or the just the numbers in this case, allowed the funneling of benefits into an individual’s bank. The numbers simplified the payment process as the ID numbers connect an individual to his or her bank account. This cut down on the verification process needed for fraud prevention.
The issues researchers found came from undeniably basic attempts at accessing the data. For example, the National Social Assistance Programme (NSAP), a public welfare system, needed a only simple URL parameter change. Programmers masked the personal information from public eyes, at first glance, at least. But once the URL parameter changed from “nologin” to “login,” the entire database became accessible. And NSAP databases revealed a significant amount of data; it contained data from programs overseen by the Ministry of Rural Development. Some of which are “the National Old Age Pension Scheme,
National Family Benefit Scheme, National Maternity Benefit Scheme, Indira Gandhi National
Widow Pension Scheme, and Indira Gandhi National Disability Pension Scheme.”
NSAP allows citizens to login through a portal that displays a dashboard of their information. CIS reported that they saw the “job card number, Bank Account Number, Name, Aadhaar Number, and account frozen status.” Through further exploration, they found a Data Download option that provided even more information about a pensioner: “Beneficiary No., Name, Father’s/Husband’s Name, Age, Gender, Bank or Post Office Account No. for beneficiaries receiving disbursement via bank transfer and Aadhaar Numbers for each area, district and state.” NSAP seeded 1,59,42,083 listings in total but not all contained bank information.
The theme of simplicity required to access similar data remained consistent between the four government programs. In a second example, the National Rural Employment Guarantee Scheme website leaked “Job card numbers, Aadhaar Number, Bank/Postal Account Number, no. of days worked, Registration Number, account frozen status.” The NREG data came from a report with subsections at different links—after following enough links, researchers landed on a final page with 10,96,41,502 Aadhaar Numbers.
As The Register’s Richard Child wrote, “If you’re enthused about governments operating large-scale online identity projects, here’s a cautionary tale: the Indian government’s eight-year-old Aadhaar payment card project has leaked a stunning 130 million records.” In an time where a government holds private information, whether via mass surveillance or government programs, poor data storage measures can ruin lives. In this case, the very program established to prevent fraud opened a door to a massive resource for identity thieves.