Huge cache of Aadhaar numbers in public domain, warn experts

In a significant development considering the Indian government's increasing emphasis on Aadhaar numbers, cyber security experts have raised concerns about people using Aadhaar and one-time passwords for authentication of financial transactions after it was revealed that a large cache of Aadhaar numbers had become public.

Bengaluru-based think tank Centre for Internet and Society (CIS) has published a report highlighting how 13.5 crore Aadhaar accounts have been exposed by government departments.

The report, by Amber Sinha and Srinivas Kodali, said the National Social Assistance Programme (NSAP) and the National Rural Employment Guarantee Scheme, administered by the ministry of rural development, and the Chandranna Bima Scheme of the Andhra Pradesh government have made Aadhaar numbers public.

In some cases, bank account details and mobile numbers of millions of citizens are available. While many officials say the availability of the Aadhaar number itself is not a breach, payment industry security experts disagree.

Nitin Bhatnagar, associate VP (business) at SISA, a payment security specialist, told The Times of India the exposing of an Aadhaar number amounts to a breach. "Any element of payment data exposure is considered a breach in the payment industry," Bhatnagar said.

In December 2016, the Reserve Bank of India had allowed banks to use a combination of Aadhaar number and an OTP on the customer's phone for completing "know your customer" requirements and opening a bank account. A fraudster with the Aadhaar details of a customer can obtain a cloned SIM card and use it for fraudulent transactions.

The CIS report highlights how these public databases are exposing citizens to risk. "When Nandan Nilekani claims repeatedly that the Aadhaar data is secure, his focus is largely on the enrolment data collected by UIDAI, or authentication logs maintained by it. With countless databases seeded with Aadhaar numbers, we would argue that it is extremely irresponsible on the part of the UIDAI, the sole governing body for this massive project, to turn a blind eye to the lack of standards prescribed for how other bodies shall deal with such data, such cases of massive public disclosures of this data, and the myriad ways in which it may used for mischief," the report said.

Nilekani was the original head of the Unique Identification Authority of India. With the change of government at the centre, however, he is no longer associated with UIDAI.