Incident Overview
Aadhaar, India’s ambitious digital identity system, was designed to simplify access to government and commercial services for over a billion citizens. However, between 2017 and 2018, a series of security breaches exposed the vulnerability of this massive system, raising significant concerns.
What Happened
The Aadhaar breach occurred due to a software patch that was exploited by hackers.
This patch, available for as little as $35, allowed unauthorized users to bypass critical security measures. Specifically, it disabled biometric authentication (iris scans and fingerprints) and GPS location tracking for enrolment operators.
As a result, new Aadhaar numbers could be generated from anywhere in the world, without proper verification. Additionally, government websites provided unrestricted access to Aadhaar data via an API, which allowed anyone with basic details like name and date of birth to check if the information corresponded to an Aadhaar number. This open access violated the Aadhaar Act and further exposed personal data to hackers.
Data Exposed
Sensitive information, including names, addresses, phone numbers, and biometric data like iris scans and fingerprints, was compromised. Government websites leaked millions of records related to children, workers, and pregnant women, exposing detailed personal information such as health tracking data and vaccination history.
How Was the Issue Addressed
The breaches resulted from weak software security and misuse of access rights by former enrolment operators. UIDAI responded by revoking third-party enrolment operator rights and enforcing stricter security measures. However, the damage was done, with millions of records already compromised.
Support and Mitigation Measures
To prevent future breaches, experts recommend enforcing stronger passwords, securing data transfers, providing security training, and implementing advanced authentication measures. Regular software updates and the restriction of third-party access were also critical steps to securing the Aadhaar system moving forward.
Potential Impact
The exposure of biometric and demographic data presents significant risks for identity theft and unauthorized access to public services. The breach highlights the need for stronger security in large-scale digital identity systems, as the impact can be widespread, affecting financial transactions, health services, and more.
Conclusion
Digital identity systems like Aadhaar offer efficiency but come with significant security risks. Ensuring the security of sensitive data must be a top priority, requiring ongoing vigilance, improved technology, and stronger policies to prevent future breaches.
