The Tribune announced to have “purchased” a service being offered by anonymous sellers over WhatsApp that provided it an unrestricted access to details for any individual whose data are stored in the Aadhaar system.
Attackers offered a portal to access Indian citizen data by knowing the Aadhaar user’s ID number. The service allowed the journalist to retrieve the resident’s name, address, postal code, photo, phone number, and email address, by providing the Aadhaar ID.
The hackers are offering the access to the portal for 500 rupees and are charging an additional 300 rupees for an application that allows printing a Aadhaar card.
“Today, The Tribune “purchased” a service being offered by anonymous sellers over WhatsApp that provided unrestricted access to details for any of the more than 1 billion Aadhaar numbers created in India thus far.” states The Tribune.
“It took just Rs 500, paid through Paytm, and 10 minutes in which an “agent” of the group running the racket created a “gateway” for this correspondent and gave a login ID and password. Lo and behold, you could enter any Aadhaar number in the portal, and instantly get all particulars that an individual may have submitted to the UIDAI (Unique Identification Authority of India), including name, address, postal code (PIN), photo, phone number and email.”
The Unique Identification Authority of India denies that Aadhaar system has been breached, but The Tribune revealed that when contacted, UIDAI officials in Chandigarh expressed shock over the full data being accessed, and admitted it seemed to be a major national security breach.
“Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.” Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh told The Tribune.
According to the investigation conducted by The Tribune, the breach could have involved lakh village-level enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS) across India, offering them access to UIDAI data.
CSCS operators were initially tasked with making Aadhaar cards across India, but later this function was restricted to post offices and designated banks.
More than one lakh VLEs are now suspected to have gained this illegal access to UIDAI data to provide “Aadhaar services” to common people for a charge, including the printing of Aadhaar cards.
(Security Affairs – Indian biometric system, data breach)