India’s national identity database hacked

India’s central biometric database, which holds data of more than one billion citizens, has apparently been breached by hackers and this Aadhaar breach has compromised personal data of over one billion Indian citizens which is apparently on sale for less than $8.

According to an investigation by India’s Tribune newspaper, the Aadhaar biometric database has been compromised, with hackers installing a gateway into the database and selling access to personal identity data for as little as 500 rupees ($7.89). Journalists for the Tribune were able to buy personal data via WhatsApp.

The Unique Identification Authority of India (UIDAI), which is responsible for Aadhaar, has denied that sensitive data has been hacked, but the Tribune investigation by was able to purchase users data.
The illicit portal into the database enables a user to enter the unique Aadhaar user ID, and access addresses, post codes, photos, phone numbers, and email addresses. For a 300 rupee ($4.70) fee, hackers will also provide software to allow a victim’s Aadhaar card to be printed.

A follow-up report by Indian news website The Quint, has suggested that Aadhaar has a security flaw, which allows anyone with administrator access to the database to also grant administrator privileges to any other person, a process which can be repeated over and over. This would give those newly appointed with administration privileges access to the identifying data including names, addresses, dates of birth, parents’ names, gender, mobile numbers, language, but not the biometric data.

Aadhaar holds biometric data including fingerprints and iris scans. The UIDAI said that the biometric information and other sensitive data has not been compromised, but that it has filed a police complaint.