UIDAI denies claims of Aadhaar data breach on Indane's systems
The UIDAI has denied the claims of an Aadhaar data breach on the systems run by state-owned utility company Indane. Earlier, a report by ZDNet suggested that the Aadhaar details of all registered Indane customers were exposed online and could be accessed by anyone. UIDAI said that "there is no truth in this story" and that they were "contemplating legal action against ZDNet."
The report claimed that Indane's API wasn't secure, allowing access to personal information like names, unique 12-digit Aadhaar numbers, and bank names related to those Aadhaar numbers. "The affected endpoint uses a hardcoded access token, which, when decoded, translates to 'INDAADHAARSECURESTATUS,' allowing anyone to query Aadhaar numbers against the database without any additional authentication," the report said.
Last week, UIDAI CEO Ajay Bhushan Pandey said, "Each Aadhaar biometric is encrypted by a 2048-key combination and to decode it, the best and fastest computer of our era will take the age of the universe just to hack into one card's biometric details."
"One must understand that the Aadhaar number is not a secret number," UIDAI explained. "Mere availability of Aadhaar number with a third person will not be a security threat to the Aadhaar holder or will not lead to financial/other fraud, as for any transaction, a successful authentication through fingerprint, Iris or OTP of the Aadhaar holder is required," it added.
The ZDNet report said the endpoint vulnerability was discovered by Delhi-based security researcher Karan Saini. He claimed that since Indane has access to the entire Aadhaar database through an unsecured API, information of all Aadhaar holders was at risk. Hackers can go through endless permutations to guess an Aadhaar number and steal its corresponding information since the API doesn't employ rate limiting, Saini added.
ZDNet said that it had informed the government of the alleged data breach a month ago but received no response regarding the same. It then contacted the Indian Consulate in New York and Devi Prasad Misra, consul for trade and customs, but to no avail. However, ZDNet claims that within hours of publishing the story, the affected endpoint was taken offline.
Aadhaar has been continuously in the news regarding security vulnerabilities. Earlier, French security researcher Elliot Alderson hacked into the Aadhaar Android app within a minute and reportedly gained access to 22,000 card details. Notably, Aadhaar is the world's biggest database with over 1.1 billion users.