First Known Misuse Of Aadhaar Biometrics Data Reported, Probe Initiated Against 3 Firms

In a first, an issue of Aadhaar data breach has caused several privacy concerns and raised questions about the security of the data possessed by the Unique Identification Authority of India (UIDAI).

The UIDAI lodged a criminal complaint on 15 February against three firms with cyber cell of Delhi Police. The firms — Axis Bank Ltd, Mumbai-based Suvidhaa Infoserve, and Bengaluru-based eMudhra — are being probed for attempting unauthorised authentication and impersonation by using stored Aadhaar biometrics, which is a clear violation of the law.

The issue has been raised at a time when the government is pushing for Aadhaar-based transactions to promote its digital mission.

The three firms have been served a “notice for action” under Aadhaar regulations.

How the breach unfolded

UIDAI detected the breach after it found multiple transactions done with the same fingerprint. This would not have been possible without the core biometrics being stored and used without authorisation.

The UIDAI officials found that one individual performed 397 biometric transactions between 14 July 2016, and 19 February 2017. Out of this, 194 transactions were conducted through Axis Bank, 112 through eMudhra and 91 through Suvidhaa Infoserve.

This proves that multiple transactions were performed concurrently with different user agencies, suggesting a common element attempting illegal operations. Intentionally copying Aadhaar data is a criminal offence and entails a three-year jail sentence and a fine.

Reportedly, Suvidhaa Infoserve CEO Paresh Rajde claimed that his company was a “business correspondent” of Axis Bank and distributed Aadhaar-linked products on behalf of the bank and they were testing the application for the Axis Suvidhaa pre-paid card. However, he further suggested that only test transactions were conducted without incurring any financial loss. The Axis Bank spokesperson also tried to defend themselves saying that there was no financial loss and that they will be sharing a detailed response with UIDAI soon.

However, the UIDAI officials were not convinced. One of the officials told Mint that even, “testing is not permissible under the Aadhaar law and if such an experiment was being conducted, UIDAI should have been informed about it earlier. The authentication operation of the firms concerned has been suspended till the matter is resolved.”

UIDAI officials discovered that the profile of the individual whose biometrics were used showed an address which matched the demographic records of Aadhaar. The authority expedited its actions after the notices it had served appeared in social media along with allegations that potential risks of Aadhaar were surfacing. Officials also found that a single device was used by one agency, suggesting that only one person was performing the authentication.

Aadhar is now the key to Prime Minister Narendra Modi’s plan of going digital. The government is seeking to link the database, with information on about 88 percent of the population of more than 1.2 billion, including children, to all state services — from school admissions to passports and the purchase of cooking gas. In effect, it would create more large databases. But in a nation without an overarching privacy law, Indians have few options for redressal in the event of identity theft or data leaks.

If such cases of “test transactions” keep happening, then people’s privacy would be compromised.

The Logical Indian urges the authority to take stern action against the three firms for violating the law. This should set a precedence which would discourage others to do the same.