Tribune News Service
Chandigarh, January 4
Responding to The Tribune exclusive story revealing how UIDAI data on Aadhaar number holders is being accessed by unauthorised agents, the Unique Identification Authority of India (UIDAI) today claimed it was a case of “misreporting”, and that there had been no Aadhaar data breach.The Tribune takes a look at the UIDAI claims para by para, and presents a fact check below each:
UIDAI Para 1: Unique Identification Authority of India (UIDAI) has denied the media report published in The Tribune titled “Rs 500, 10 minutes, and you have access to billion Aadhaar details” and has said that it is a case of misreporting.UIDAI assured that there has not been any Aadhaar data breach. The Aadhaar data including biometric information is fully safe and secure.
Fact: Aadhaar data has been accessed by unauthorised people, and the UIDAI claim that “there has not been any Aadhaar data breach” flies in the face of that.
UIDAI Para 2: UIDAI has given the said search facility for the purpose of grievance redressal to the designated personnel and state government officials to help residents only by entering their Aadhaar number/EID. UIDAI maintains complete log and traceability of the facility and any misuse can be traced and appropriate action taken. The reported case appears to be instance of misuse of the grievance redressal search facility.As UIDAI maintains complete log and traceability of the facility, the legal action, including lodging of FIR, against the persons involved in the instant case is being done.
Fact: Here the UIDAI has admitted that a facility on their website has been “misused”. The fact is that it has been ‘misused’ to steal data — personal information such as name, date of birth, address, PIN, photo, phone number, e-mail — at will, for any Aadhaar number. Its second claim in this para that they are able to track all those who access the data only suggests that they will now be able to nab the people involved in the racket. But that does not change the fact that a large number of people have been accessing the data in an unauthorised manner probably for months, and theft has already taken place. Also, the tracking system obviously never realised that unauthorised people were accessing the data. And if FIRs are being contemplated, is that not an admission of something being amiss?
UIDAI Para 3: UIDAI reiterates that the grievance redressal search facility gives only limited access to name and other details and has no access to biometric details. UIDAI reassures that there has not been any data breach of biometric database, which remains fully safe and secure, with highest encryption at UIDAI and mere display of demographic information cannot be misused without biometrics.
Fact: The UIDAI is suggesting here that giving away of personal data is of no serious consequence. This renders meaningless its claim of November 20, 2016, that “Aadhaar data is fully safe and secure and there has been no data leak or breach at UIDAI”. It had at that time asked 210 websites of Central and state governments that had mistakenly displayed personal details of Aadhaar number holders on various websites to remove the information from public domain. It may be noted that phishing scams use precisely such information on people to try and crack their passwords for net-banking or credit cards.
UIDAI Para 4: The Aadhaar number is not a secret number. It is to be shared with authorised agencies whenever an Aadhaar holder wishes to avail certain service or benefit of government welfare scheme/s or other services. But that does not mean that the proper use of Aadhaar number poses a security or financial threat. Also, mere availability of Aadhaar number will not be a security threat or will not lead to financial/other fraud, as for a successful authentication fingerprint or iris of individual is also required.
Fact: The sharing of Aadhaar numbers with “authorised agencies” is indeed safe, but what has been revealed in the story is that unauthorised persons have gained access to people’s personal information. The Tribune correspondent was also able to enter biometric data of specific individuals who were available at hand — at an unauthorised location — to print out Aadhaar cards. That is a partial breach of the biometric data too, even if biometric data was not downloaded.
UIDAI Para 5: Claims of bypassing or duping the Aadhaar enrolment system are totally unfounded. Aadhaar data is fully safe and secure and has robust uncompromised security. The UIDAI Data Centres are infrastructure of critical importance and is protected accordingly with high technology conforming to the best standards of security and also by legal provisions.
Fact: To say that “claims of bypassing” the system are unfounded is to deny facts staring everyone in the face. If unauthorised people can log into government data and download it, how is that not “bypassing”?Meanwhile, the BJP through its official Twitter handle has called The Tribune report “fake news”.
Tribune’s report suggesting the data breach at @UIDAI is fake news!http://www.tribuneindia.com/news/nation/uidai-says-tribune-story-misreporting–read-how-that-is-wrong/523478.html
January 5, 2018 at 4:33 pm
The reply of UIDAI is unsatisfactory and counter factual assessment shows that aadhar can be easily breached