Another Aadhaar Data Leak From AP Website Reveals Bank Details, Phone Numbers, Religion Of 1.3 Lakh People

Just days after the Andhra Pradesh State Housing Corporation website suffered leakage of sensitive data concerning nearly 2 crore Aadhaar card holders, another AP government website, the Benefit Disbursement Portal of the State’s Wages & Social Security Pensions (Mahatma Gandhi National Rural Employment Guarantee Act or MGNREGA) system, has been found to have suffered a similar security breach.

On Thursday, independent security researcher Srinivas Kodali traced the leak in their system and complained about it to the Indian Computer Emergency Response team, Unique Identification Authority of India (UIDAI) and the National Physical Information Protection Centre.

In an interview with Deccan Chronicle, Kodali says, “The latest leak involves 89 lakh MGNREGA workers, their IDs, names and Aadhaar numbers, all from AP. The website is being handled by Tata Consultancy Services (TCS) and AP government as part of the joint venture AP Online. However, the irony is, I had reported the same violation in May 2017, about two MGNREGA websites one of AP and another of the Central government. Both were leaking data, which is being repeated after a year. This means the complaints were not taken seriously and nothing has changed on the ground. This also proves that the UIDAI’s claim that minimum information is being collected through Aadhaar, and there is a security system in place, is a half-truth.”

The website which was leaking all the sensitive information today was of Andhra Pradesh State Housing Corporation. Here are two images with details one showing last four digits of #Aadhaar after fix & other masked by me showing first two. Around 1,34,193 Aadhaar numbers leaked pic.twitter.com/pr2RwO3C5f

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018

Government says we will only track beneficiaries of govt programmes through #Aadhaar. In short they want to track everyone, how can you not use any government service in a country? #surveillance is being called e-governance these days. pic.twitter.com/7tu62YKCGV

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018

It has always been said #Aadhaar is being linked to religion and caste information, apart from occupation. While UIDAI is not doing it, other government departments are. Here is proof that UIDAI has no idea what all is being linked to your unique id. Website reported early today. pic.twitter.com/3acEgcA1Qt

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018

Nobody is responsible for today's #Aadhaar data leak from AP govt. AP has it's own Aadhaar Act which says no official is responsible for security of the data. Act came into force after a 20 million Aadhaar numbers leak in May 2017.https://t.co/KpGq8dbOoH

— Srinivas Kodali | శ్రీనివాస్ కొడాలి (@digitaldutta) April 24, 2018

As reported on The News Minute, the page listed father’s name, address, panchayat, mobile number, ration card number, occupation, religion, caste, Aadhaar number, along with their bank details, IFSC code and account number.

According to reports, this latest data breach took place just one day after Chief Minister N Chandrababu Naidu inaugurated the Andhra Pradesh Cyber Security Operations Centre (APCSOC). As per NDTV, the Andhra Pradesh government said that they adhered to the strict rules and regulations of the Aadhaar Act, 2016. The government said they were investigating this report and once they have a complete understanding of the situation, public will be updated. The leaked data was part of a list titled ‘Beneficiary Details belonging to Entry Report for Scheme Hudhud’ on the housing website.

Security has taken a backseat for the AP government websites amidst their desire to lend transparency to the administration through the AP CM Dashboard. Experts say in extreme situations, such leaks could be misused to perform religious profiling based on a person’s belief, which could lead to nightmarish security scenarios. In light of all the security breaches happening, it is high time the country’s nodal agency for data protection bring in stringent legislation to deter other governmental departments from collecting and misusing citizens’ personal information.