Aadhaar Data Breach: Gemalto Publishes Abject Apology; Was It To Protect Business?
Moneylife Digital Team 27 October 2018
Digital security firm Gemalto, having retracted a study on Aadhaar data breaches has tendered an unconditional apology through half page advertisement in a leading newspaper. In this unusual advertisement addressed to the ‘People of India", it regrets the 'grave error' on its part while publishing a report on 1.2 billion data breaches in the Aadhaar database.
Those who know about Gemalto's business with the Unique Identification Authority of India (UIDAI) believe that there is more to the withdrawal of the Breach Level Index and apology than meets the eye. Was Gemalto under pressure to withdraw the report to protect other business interests, they wonder? The abject apology seems another step in that direction.
In the (now withdrawn) Breach Level Index report Gemalto had stated that during the first half of 2018, there were 945 data breaches leading to 4.5 billion data records being compromised, and India's Aadhaar witnessed 1.2 billion data breaches in March, making it the second highest breaches across the world after Facebook.
In its 'apology' advertisement, Philippe Vallee, chief executive of Gemalto, says, "Gemalto wants to make it clear that this error has been corrected in the revised report. All concerned parties should take note that we have not been able to find any verified or substantiated data breach of Aadhaar data. As a result, Gemalto has withdrawn the data breach claim from the Breach Level Index Report."
(Advertisement published by Gemalto)
So what does Gemalto do for UIDAI? It has collaborated with UIDAI since inception of the Aadhaar scheme in 2009 and has been supplying biometric scanners, including 10-finger fingerprint scanners and iris scanner. Gemalto also provides digital tokenisation solution to UIDAI.
Here is what it has accepted on its customer case study report on Aadhaar: “The roots of Gemalto's involvement in the Aadhaar project stretch right back to the very beginning. In the search for biometric enrolment solutions capable of capturing fingerprint and iris scans from over one billion people, the Indian authorities turned in particular to 3M Cogent– now a Gemalto company."
(Gemalto fingerprint scanners)
Further, in the same customer case study report, Gemalto says, “Another 2017 initiative by the UIDAI is set to promote even wider use of Gemalto technology within the Aadhaar scheme. Specifically, because the Unique Identification Numbers (UIDs) issued by  the UIDAI contain Personally Identifiable Information (PII), the authority mandated that the private cryptographic keys used to digitally sign and authenticate UIDs must be stored on a Hardware Security Module (HSM). Furthermore, to prevent data falling into the wrong hands, their use was also made subject to strict conditions. This included the use of 'tokenisation' - the process of replacing data with a digital token that can be safely stored, processed and transmitted without compromising the original information. Gemalto is recognised as a world leader in this field, and the company's SafeNet Tokenisation and Luna HSM technologies both meet the UIDAI's exacting mandates and were selected."
(Gemalto case study on Aadhaar, published on its website)
As a supplier of 3M scanners for Aadhaar and provider of tokenisation services, the Gemalto report was clearly deeply embarrassing to the project and to itself if the Breach Level Index report's findings were held accurate. It also raises questions about Gemalto's own products and services to UIDAI. 
In July this year, Gemalto, in the same customer case study report on Aadhaar was full of praise for the ID project. It said, "The Aadhaar Act 2016 for example is providing stronger legal backing to the Aadhaar unique identification number project and opening the door to a large scope of applications. What's more, as it migrates from public to private sector, Aadhaar is likely to provide an equally dynamic springboard for a host of different enterprises, helping to power and protect economic growth in the years ahead."
The Supreme Court of India's long awaited judgement has now discarded that section from the Aadhaar Act, which allowed private parties to piggyback on the ID project. (Read: Supreme Court Upholds Aadhaar; Says Private Entities, Including Banks, Mobile Operators Cannot Demand Aadhaar)
On 26 September 2018, the five-judge Constitution Bench of the Supreme Court barred private entities, like telecom companies, banks and payment service providers from demanding and using Aadhaar data of customers. (Read: How To Delink Your Aadhaar from Bank Accounts, Mobile Number, E-wallets
You may also want to read…
Free Helpline
Legal Credit