India’s national Aadhaar database has once again been flagged for a major security vulnerability after a lapse in security inside the Jharkhand government’s online portal. The latest incident exposes Aadhaar card numbers and partial phone numbers of thousands of governments employees and which are all accessible with no effort involved.
The leak came through one of Jharkhand government’s web systems which recorded attendance of the employees of the state across different districts and departments. The web page which has been archived for now was labelled as “Aadhaar Enabled Biometric Attendance System” with anyone getting access to the link allowed to view the names, partial phone numbers and job titles of the workers associated with the Jharkhand government.
TechCrunch revealed that the file name associated with each and every 166,000 workers in total was named after the worker’s Aadhaar number. Yes, the same 12-digit Aadhaar number which is supposed to be confidential and is assigned to every Indian citizen as part of national identity. Not only does the government web system leak the Aadhaar number, but it also exposed partial phone numbers and photos of every employee who’s on record.
However, the latest data breach isn’t actually the fault of Unique Identification Authority of India who regulates the Aadhaar card for the 1.23 billion already enrolled users in India. But the extent of this breach means the authorities responsible for keeping this data safe weren’t protective enough.
The site was easily accessible on the Jharkhand government’s subdomain and it appears as the IT team behind the page made little to no effort to boost the security of the page. The site has been up and running for so long that it has been indexed by Google which has kept cached copies of some addresses within the site.
Packed with a bunch of security enabled features, the Aadhar card is India’s take on a digital ID database with biometric information and private details. Though not mandatory, not enrolling onto the database would result in users being not able to use the basic government services. Even Uber and Amazon have dug into the system for seamless identification of its customers.
The latest incident only goes to show that UIDAI is still not ready to learn from its mistakes but would rather deny claims of any data breach at all since we reported a similar leak of Aadhaar credentials earlier last year.