Police on Tuesday arrested Abhinav Srivastav, a 31-year-old MSc graduate of the Indian Institute of Technology-Kharagpur employed with cab aggregator Ola as a software development engineer, for allegedly hacking and illegally accessing the server of the Unique Identification Authority of India (UIDAI).
Srivastav, who according to police, lives at Yeshwantpur in Bengaluru and hails from Kanpur in Uttar Pradesh, is accused of having stolen demographic data including addresses, mobile phone numbers, email addresses, age and sex of at least 40,000 Aadhaar cardholders by hacking into the UIDAI database. Police said he has not accessed any biometric data like fingerprints and iris scans.
The case came to light earlier this week when the UIDAI filed a case against ride-hailing service Ola and its payments arm Qarth Technologies Pvt Ltd.
Records accessed by The Indian Express from the Registrar of Companies and the public online profiles of the accused have revealed that Qarth was started in October 2012 by Abhinav Srivastava and Prerit Srivastava - both of the 2004-2009 batch of the Indian Institute of Technology-Kharagpur.
Bengaluru-based Quarth runs a mobile multi-bank payment service called X-Pay, and was acquired by Ola last year (See: IIT-K alumnus, Quarth Tech under probe for Aadhar theft).
According to police, Srivastav accessed UIDAI data through the e-hospital application hosted by the government's National Informatics Centre (NIC). "Srivastav had developed an e-KYC verification mobile application and hosted the same on (Google) Play Store. Anyone clicking on this app would enter the e-hospital service, which is a central government scheme with Aadhaar-related details in it," they said.
Police described Srivastav as an employee of Ola at its Koramangala office. Srivastav is said to have become part of the cab aggregator when the latter acquired his company, Qarth Technologies, last year.
City police commissioner T Suneel Kumar said Srivastav told police that he earned Rs40,000 through advertisements on the app. "I had developed an Aadhaar e-KYC verification app and put it on Google Play Store. I got Rs 40,000 from ads shown on the app between January and July this year," Srivastav was quoted as saying.
However, police suspect there is more to the issue and said they will question him further. Srivastav was remanded on Wednesday in police custody for 10 days. He is booked under sections in which perpetrators are punishable with imprisonment up to three years and a penalty of Rs10 lakh.
"We would like to question his motives for hacking and stealing the information and how he managed to access the server of UIDAI," additional commissioner of police (crime) S Ravi said.
Asked about the matter, an Ola spokesperson said, "Ola has neither commissioned nor is involved in any such activity. No such complaint has been brought to our notice."
A senior cybercrime police official told The Times of India Srivastav has described himself as an ethical hacker in some online profiles. "His personal data shows that he had worked as a security researcher with Iviz Security and successfully explored vulnerabilities in internet payment gateways. Most importantly, one of his profiles says he "built tools for exploring Flash Vulnerability", which apparently received the appreciation of world-renowned hacker Jeremiah Grossman, the founder of web security firm WhiteHat Security. So we cannot take him or his works lightly," he said.