Last week, IT Grids, a company hired by the Telugu Desam Party (TDP) for developing its Seva Mitra app, was found to be allegedly storing data of 7.82 crore Indians from Andhra Pradesh and Telangana, and another 2 crores from Punjab. Later investigation found that the structure and size of the database held by IT Grids was similar to what was owned by the Unique Identification Authority of India (UIDAI). In effect, it was yet another case of Aadhaar data breach.
Now as the investigation has been furthered, it has been found that this stolen data was allegedly being used to try and remove voters from electoral rolls, according to a report by Huffington Post. The publication spoke to IG Stephen Raveendra, who is heading the Special Investigating Team (SIT) for this case. He also revealed that when studying the origin of data they found that some parts of it could have only come from UIDAI's database.
"We are forensically examining the hard drives to trace where the data came from. But there are several columns of data that are an exact replica of the format used in the SRDH and CIDR," the publication quotes him as saying.
To put things in perspective, CIDR is the database that holds the demographic and biometric data of Aadhaar users. SRDH were state-level replicas of the CIDR pertaining to that state, for the "ability to manage resident data."
On 12 April, UIDAI filed a complaint in the Madhapur police station citing the findings of the special investigation team (SIT) that discovered this data. The case was registered under sections 37, 38(a), 38(b), 38(g), 40, 42, 44 of the Aadhaar Act 2016 and will be investigated by the SIT.
FIR 278/2019 by Cyberabad Police in Madhapur on the request of @UIDAI against IT Grids Pvt Ltd. First time in a #Aadhaar case there is a forensic investigation which was missing in all other UIDAI security claims. pic.twitter.com/8gDI3LmpRt
" Srinivas Kodali (@digitaldutta) April 15, 2019
The State Resident Data Hubs (SRDH) have been a matter of concern since their inception. SRDH contain Aadhaar data, including demographic and biometric data, as well as local data from other sources, such as Kerala's KYR+. And security experts have expressed that these data hubs are vulnerable to attacks.
UIDAI officials claim that the core Aadhaar biometric data stored in the CIDR is never shared with anyone. It also repeated the oft-heard come-back, that the biometric data hasn't been affected.
The police suspect that IT Grids could have illegally obtained this Aadhaar data and misused it. The mere fact that this data was taken on a removable storage drive is in itself a violation of the Aadhaar Act according to the police.