August 4th, 2017
A 31-year-old techie, Abhinav Srivastava, had been detained by the Bengaluru city police on 1 August on the charge of accessing sensitive Aadhaar data, reports The Hindu.
A complaint was filed against him by the Unique Identification Authority of India (UIDAI) last week.
Srivastav is currently employed as a software engineer. He was accused of accessing sensitive Aadhaar information in January this year through an app called ‘Aadhaar e-KYC’, which was available on the Google Play store until recently. The app was created by Srivastava himself.
He had made use of the services of another app, ‘e-hospital’, which is listed as an authenticated user agency (AUA) authorised to access UIDAI data.
Demographic data including details like address, mobile phone number, email address, age and sex of at least 40,000 Aadhaar cardholders have been allegedly stolen by Srivastava. Although he has not accessed any biometric data like fingerprints and iris scans, the police said.
There are around 400 entities which have been authorised to make use of the data for authentication; Srivastava’s app was not one of them.
The case was transferred to the City Cyber Crime Police Station on 29 June. The police have found that five more apps were made by Srivastava, who has earned around Rs 40,000 from the advertisements. The ‘Aadhar e-KYC’ app has been downloaded 50,000 times from the Google Play Store since its inception in the month of January.
“Six teams of police comprising 26 personnel arrested Mishra from Koramangala after a week the complaint has been lodged,” S Ravi, Additional Commissioner of Police (Crime) told The Logical Indian.
The police have seized a CPU, four laptops, a tablet, four mobile phones, six pen drives from Srivastava.
Hailing from Kanpur, Srivastava is an IIT-Kharagpur graduate in Industrial Chemistry and now stays in Yeshwantpur, Bengaluru. He launched Qarth Technologies in 2012, which got shut down in 2016 because of financial reasons, before being acquired by Ola.
Srivastava, to give his ‘Aadhaar e-KYC’ app an air of authenticity, hacked into the server of the NIC, which houses the e-hospital system that is a solution for government hospitals to handle patient care and other services (including medical records management).
As part of its regulations, UIDAI grants certain agencies the title of an Authentication User Agency (AUA) which can then provide Aadhaar-enabled services to the card holder. For authentication, these agencies have to connect to the Central Identities Data Repository (CIDR) through the services of an Authentication Service Agency (ASA). ASAs are bound by regulations that stipulate encryption of data and logging of access.
Srivastava made use of this server to route his app requests for data access and managed to get his hands on the data.
The Logical Indian take
The fact that a software engineer can access classified Aadhar data raises serious questions about the measures in place to protect the data.
With this incident about the IIT techie accessing Aadhaar data coming to fore, The Logical Indian community wishes to reiterate its stance that Aadhaar being a goldmine of information, its getting into the wrong hands will have catastrophic consequences.
There should be strict action taken against those responsible for these breaches. And the government should ensure that such violations of privacy and of the Aadhaar Act do not take place in the future.