India Insights with Geetha Nandikotkur

Authentication , Data Breach , ID & Access Management

Aadhaar Security: How Can It Be Fixed? Security Critics Discuss the Gaps in the System
Aadhaar Security: How Can It Be Fixed?

After news of yet another apparent Aadhaar-related data breach, some security experts are once again calling for the government to substantially beef up security for the identification system.

See Also: Live Webinar | Benchmarking Your Organization's Security Performance with Security Ratings

The Tribune newspaper reports that it was able to purchase for just Rs.500 over Whats App a service offering unrestricted access to details tied to any of the more than 1 billion Aadhaar numbers created in India.

In the latest Aadhaar controversy, the unauthorized access to UIDAI data has stirred debate because some experts believe the breach could be the result of use of obsolete technology and poor implementation of security controls by the UIDAI team. 

The Tribune also reports that it paid another Rs 300 to obtain software that could facilitate the printing of the Aadhaar card after entering the Aadhaar number of any individual.

Breach Notification

After the Tribune published its report on Jan. 3, the Unique Identification Authority of India, or UIDAI, which issues Aadhaar numbers, quickly issued a note saying that there has not been any Aadhaar data breach and the data, including biometric information, is fully safe and secure and has robust, uncompromised security.

But some security experts question how UIDAI could conclude that there was no breach within less than 24 hours of the incident being reported.

A police case has been filed against The Tribune journalist who exposed how people could illegally access demographic data of individuals from UIDAI. The complaint, which also names people who sold unauthorized access details to the journalist, was filed within days of the news report. In the meantime, UIDAI has written an email to Tribune demanding proof of information being shared.

Other Recent Incidents

After the latest incident, and other recent incidents, Aadhaar has come under the lens of critics for its data security lapses.

For instance, security flaws in an app developed by the National Informatics Centre earlier this month gave a Bengaluru-based software developer access to the Aadhaar numbers and personal details of thousands of citizens (see: Why Does Aadhaar Data Continue to Get Compromised? ).

And the arrest of 10 men in Uttar Pradesh for allegedly cloning fingerprints of authorized Aadhaar enrollment officers stirred debate over whether it's wise for India to rely so heavily on Aadhaar for authentication (see: Arrests for Aadhaar Related Fraud Raise Concerns).

Na. Vijayashankar, cyber law expert, says risks are growing because the Aadhaar identification and authentication system is now being used for many purposes for which it was not designed, such as transaction authentication (see: Security & Privacy Challenges for Aadhaar Based Authentication).

Some security practitioners question the wisdom of the RBI mandate that all banks must use Aadhaar as the primary form of authentication for anyone accessing their bank account in any way, pointing to concerns about whether Aadhaar data can be kept secure (see: Critics Question RBI's Aadhaar Mandate).

In 2017, breach incidents at government portals affected over 13 crore people and bank account details of about 10 crore owing to poor security practices, putting these people at risk of financial fraud as well as identity theft.

What Security Steps are Needed?

In the latest Aadhaar controversy, the unauthorized access to UIDAI data has stirred debate because some experts believe the breach could be the result of use of obsolete technology and poor implementation of security controls by the UIDAI team.

Clearly the latest incident, and other earlier security lapses, illustrate the need for the government to rewrite the Aadhaar Act to address privacy and data protection issues.

Dr. Onkar Nath, former CISO of Central Bank who's now an IT security consultant,contends that the government, as the custodian of citizens' data, needs to invest in new technologies and tools and skills development to improve security.

Goyal argues that adopting security-by-design, as well as deploying better access management controls, are both critical.

Dr. Rakesh Goyal, CERT-In empanelled auditor and CEO of Sysman Consulting, says that the latest breach is a clear indication of poor security enforcement by the UIDAI. "It is definitely lack of ownership by the UIDAI's security team, where the policies are only written on paper and not being implemented in all earnest," Goyal alleges.

Onkar Nath, alleges that the technological gaps owing to the use of obsolete technologies by UIDAI likely led to the latest breach.

He contends that the incident is more evidence that UIDAI is not doing enough to protect security of Aadhaar data and not adhering to the IT Act 2008.

However, an inside source who is working closely with UIDAI, who requested anonymity, contends that the UIDAI team has been quite stringent with its policies and has been closely monitoring the case.

UIDAI's information security head, however, did not respond to ISMG's query on the subject.

Unanswered Questions

The key questions to consider in the wake of the latest incident are:

  • Could this latest incident somehow involve insiders at UIDAI?
  • If UIDAI denies the breach, why was a FIR (First Information Report) filed against the Tribune?
  • Has the time come for UIDAI to consider rebuilding its security posture?
  • UIDAI says that illegal access to Aadhaar data can land you in jail for 10 years. But when will it actually enforce this notification?


About the Author

Geetha Nandikotkur

Geetha Nandikotkur

Managing Editor, Asia & the Middle East, ISMG

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.




Around the Network