Aadhaar numbers of over 13 crore people and bank account details of about 10 crore of them have been leaked through government portals owing to poor security practices, putting these people at risk of financial frauds as well as identity thefts.

According to a report published by The Center for Internet and Society, four government websites namely those run by National Social Assistance Programme under Ministry of Rural Development, National Rural Employment Guarantee Act (NREGA) run by Ministry of Rural Development, Daily Online Payment Reports under NREGA (Govt. of Andhra Pradesh) and Chandranna Bima Scheme run by Government of Andhra Pradesh combined were responsible for publicly exposing personal and Aadhaar details of over 13 crore citizens.

“Based on the numbers available on the websites looked at, estimated number of Aadhaar numbers leaked through these four portals could be around 130-135 million and the number of bank account numbers leaked at around 100 million from the specific portals we looked at,” the report said.

While these numbers are only from two major government programmes of pensions and rural employment schemes, other major schemes, who have also used Aadhaar for DBT could have leaked PII similarly due to lack of information security practices, the report warns.

Vulnerable sites

Experts believe that irrespective of government’s narrative on the security measures taken around protecting Aadhaar data, the Aadhaar ecosystem used by several government department remains vulnerable with little done to track and report misuse. “We are sitting on a volcano that is about to be burst,” Supreme Court lawyer and cyber security expert Pawan Duggal told BusinessLine . “We have no clue of the cyber security ramifications of Aadhaar and, therefore, massive breaches will continue to be reported. As a nation we need to do far more for cyber security for Aadhaar. Aadhaar was passed in a great amount of hurry and ignored the cyber security ramifications,” he said.

In a statement issued on March 5 by Ministry of Electronics and IT, UIDAI said that Aadhaar-based authentication is robust and secure as compared to any other contemporary systems. Aadhaar system has the capability to inquire into any instance of misuse of biometrics and identity theft and initiate action.

UIDAI uses one of world’s most advanced encryption technologies in transmission and storage of data. As a result, during the last seven seven years, there has been no report of breach or leak of residents’ data out of UIDAI, the statement added.

When contacted by BusinessLine , officials at the MeitY did not immediately comment on a detailed questionnaire sent via email on how several leaks were possible despite the government being so confident about Aadhaar security.

21 leaks reported so far

As of April 27, at least 21 leaks have been reported about data breaches. And these are only reported incidents.

“The UIDAI instead of using crowd sourced resources for reporting and plugging the security holes has responded in an aggressive defensive mode. The personal data in question, in some cases, include names, addresses, date of birth, Aadhaar card numbers, PAN card details, religion and caste. All of this information is available in the form of Microsoft Excel sheets and can be obtained by a simple Google search as reported recently by some media outlets,” said Mishi Choudhary, Legal Director at Software Freedom Law Center.

“We do not know if UIDAI itself monitoring these breaches. The Aadhaar Act itself needs several amendments with a mandatory requirement to disclose in specified ways, any breach of the security of the data, as defined, to any citizen whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person,” she added.

Experts believe that if the state is not ready or well equipped, it should not roll out schemes that rely on insecure systems.

Sunil Abraham, Executive Director of Centre for Internet and Society, said the use of biometrics data for financial services will make financial frauds easier than before as it is proven how easy it is to copy someone’s fingerprints.

“Biometrics is an inappropriate technology for financial services. Linking Aadhaar, which has your biometric data, with bank accounts makes you a lot more vulnerable to financial frauds than before. Your fingerprint can easily be collected at a restaurant or any other public place and can be used to steal your identity and commit frauds. Government needs to rethink its use for Aadhar as it will impact over a billion people in India,” Abraham said.