Aadhaar-issuing authority UIDAI has asked research firm Centre for Internet and Society (CIS) to explain its sensational claim that 13 crore Aadhaar numbers were ‘leaked’ and to provide details of servers where they are stored.
In a precursor to initiating a probe into the matter, the Unique Identification Authority of India (UIDAI) also wants CIS to clarify just how much of such ‘sensitive data’ are still with it or anyone else.
The UIDAI – which has vehemently denied any breach of its database – shot off a letter to CIS on Thursday asking for the details.
Underscoring the importance of bringing to justice those involved in “hacking such sensitive information,” the UIDAI sought CIS’ assistance in this regard and has given it time till 30 May to revert on the issue.
Your report mentions 13 crore people’s data have been leaked. Please specify how much (of) this data have been downloaded by you or are in your possession, or in the possession of any other persons that you know.
Interestingly, in what commentators have described as a flip-flop, CIS has clarified that there was no ‘leak’ or ‘breach’ of Aadhaar numbers, but rather ‘public disclosure’.
Meanwhile, the UIDAI has quoted sections of the Information Technology Act, 2000, and the Aadhaar Act to emphasise that violation of the clauses are punishable with rigorous imprisonment of up to 10 years.
On 3 May, the CIS had claimed:
Based on the numbers available on the websites that were looked at, an estimate of Aadhaar numbers leaked through these four portals could be around 130-135 million.
Further, as many as 100 million bank account numbers could have been "leaked" from the four portals, it added.
The portals where the purported leaks happened were those of National Social Assistance Programme, National Rural Employment Guarantee Scheme, as well as two websites of the Andhra Pradesh government.
CIS Report Over 23 crore beneficiaries have been brought under Aadhaar program for DBT (Direct Benefit Transfer), and if a significant number of schemes have mishandled data in a similar way, we could be looking at a data leak closer to that number.
The disclosure came as part of a CIS report titled 'Information Security Practices of Aadhaar (or lack thereof): A Documentation of Public Availability of Aadhaar Numbers with Sensitive Personal Financial Information'.
When contacted, a senior UIDAI official said that there was no breach in its own database.
The CIS report claimed that the absence of ‘proper controls’ in populating the databases could have disastrous results as it may divulge sensitive information about individuals, including details about address, photographs, and financial data.
The lack of consistency of data masking and de-identification standard is an issue of great concern... the masking of Aadhaar numbers does not follow a consistent pattern.