Aadhaar Data Breach Largest in the World, Says WEF’s Global Risk Report and Avast
During 2018, the secret and sensitive data of literally hundreds of millions of people has been torn open and exposed, then aggregated on various dark web lists for sale. Malicious cyber-attacks and lax cyber-security protocols again led to massive breaches of personal information in 2018, the largest being Aadhaar from India, say two reports.
 
The World Economic Forum's (WEF's) Global Risks Report 2019, says, "The largest (data breach) was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1.1 billion registered citizens. It was reported in January 2018 that criminals were selling access to the database at a rate of Rs500 for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers."
 
 
WEF's Global Risks Perception Survey (GPRS) finds around two-thirds of respondents expect the risks associated with fake news and identity theft to increase in 2019, while three-fifths said the same about loss of privacy to companies and governments. But more about it later.
 
In a blogpost, 'Top 10 Biggest Data Breaches in 2018', Avast Software says data breaches are a terrifying top trend in the cyber-crime world that shows no sign of slowing any time soon. 
 
 
"While some data breaches are deliberate attacks, others are simply neglected databases that security auditors find lying around the web like unguarded, unlocked safes," the blog says.
 
According to Avast, between August 2017 and January 2018, Aadhaar numbers, names, email and physical addresses, phone numbers, and photos of almost 1.1 billion Indians were found susceptible to data breach. 
 
Anonymous sellers over WhatsApp charged Rs500 and lower for a portal into UIDAI where the records of virtually every citizen was at the payer’s fingertips, as reported by Rachna Khaira for The Tribune
 
Investigations by The Tribune reveal that the racket may have started around six months ago, when some anonymous groups were created on WhatsApp. These groups targeted over 300,000 village-level enterprise (VLE) operators hired by the ministry of electronics and information technology (ME&IT) under the common service centres scheme (CSCS) across India, offering them access to UIDAI data.
 
Interestingly, last year, digital security firm Gemalto had also mentioned 1.2 billion data breaches in Aadhaar database in its Breach Level Index report. However, later, it retracted its own study on Aadhaar data breaches and tendered an unconditional apology through a half-page advertisement in a leading newspaper. 
 
But the retraction by Gemalto was not totally unexpected as the firm has been a partner of UIDAI since the inception of Aadhaar in 2009. Gemalto has been supplying biometric scanners, including 10-finger fingerprint scanners and iris scanner. Gemalto also provides digital tokenisation solution to UIDAI. (Read: Aadhaar Data Breach: Gemalto Publishes Abject Apology; Was It To Protect Business?)
 
In such scenario, we wonder if WEF and Avast are also made to retract from their reports.
 
Coming back to the WEF's GPRS report, there were further massive data breaches in 2018, new hardware weaknesses were revealed, and research pointed to the potential uses of artificial intelligence to engineer more potent cyberattacks. 
 
Last year also provided further evidence that cyber-attacks pose risks to critical infrastructure, prompting countries to strengthen their screening of cross-border partnerships on national security grounds.
 
 
In the GRPS, 'massive data fraud and theft' was ranked the number four global risk by likelihood over a 10-year horizon, with 'cyber-attacks' at number five. This sustains a pattern recorded last year, with cyber-risks consolidating their position alongside environmental risks in the high impact, high-likelihood quadrant of the Global Risks Landscape. 
 
A large majority of respondents expected increased risks in 2019 of cyber-attacks leading to theft of money and data (82%) and disruption of operations (80%). The survey reflects how new instabilities are being caused by the deepening integration of digital technologies into every aspect of life.
 
Cyber vulnerabilities can come from unexpected directions, as shown in 2018 by the Meltdown and Spectre threats, which involved weaknesses in computer hardware rather than software. They potentially affected every Intel processor produced in the past 10 years.
 
Last year also saw continuing evidence that cyber-attacks pose risks to critical infrastructure. In July, the US government stated that hackers had gained access to the control rooms of US utility companies.
 
The potential vulnerability of critical technological infrastructure has increasingly become a national security concern. The second most frequently cited risk interconnection in this year’s GPRS was the pairing of cyber-attacks with critical information infrastructure breakdown.
 
Talking about increasing use of biometrics, the report says, we are moving into a world in which everything about us is captured, stored and subjected to artificial intelligence (AI) algorithms. 
 
It says, "If humans are increasingly replaced by machines in crucial decision loops, the result may lead not only to greater efficiency but also to greater societal rigidity. Global politics will be affected as authoritarianism is easier in a world of total visibility and traceability, while democracy may turn out to be more difficult—many societies are already struggling to balance threats to privacy, trust and autonomy against promises of increased security, efficiency and novelty. Geopolitically, the future may hinge in part on how societies with different values treat new reservoirs of data."
 
 
"Strong systems of accountability for governments and companies using these technologies could help to mitigate the risks to individuals from biometric surveillance. This will be possible in some domestic contexts, but developing wider global norms with any traction will be a struggle," the WEF report says.
  • Like this story? Get our top stories by email.

    User

    COMMENTS

    NerurTwelve

    9 months ago

    There is information available on tap in respect of aadhar, pan, bank account details, passport...with names if you are willing to spend resources..It is not that sources are necessarily leaky but we are sloppy and every system which rely on Ids
    banking, Telecom, travel.. and the people working there dealing with info like this are equally so. So, when you make this news appear as breaking news, I just say good luck. Privacy, data security.. they are a passe' in a country where open defecation is not a shame.

    P M Ravindran

    9 months ago

    "Strong systems of accountability for governments and companies using these technologies could help to mitigate the risks to individuals from biometric surveillance. This will be possible in some domestic contexts, but developing wider global norms with any traction will be a struggle," the WEF report says.

    Let us not forget that ours is a government that has not only failed totally to implement the so called sunshine Act-Right to Information Act- but has actually subverted it to such an extent that any body trying to use it will end up losing the money, time and effort invested in gaining information that the Act itself claims to be 'vital to its (democracy's) functioning and also to contain corruption and to hold Governments and their instrumentalities accountable to the governed'. Worse, the judiciary has been in the forefront of subversion of this law too.

    Often the ordinary citizens are criticised for being uninformed, if not illiterate, for the sordid state of affairs. But what such critics fail to take cognisance of is the experience of those who are adequately literate, knowledgeable and articulate. Even in the case of Sabarimala , where the constitutional bench of the apex court actually delivered a verdict that is in total violation of Article 26 of the Constitution, I have not heard a single critic of the verdict actually say it in so many terms. It is the same platitudes of the court not been appraised of the correct facts, case laws etc.

    The same goes with the Adhaar verdict too.

    Readers may like to go through my blog at https://www.scribd.com/document/124887823/Democracy-East-is-East-and-West-is-West

    Aadhaar: Indane Leaking UID Numbers of Millions of Customers, finds French Security Researcher
    Indane, a brand owned by the Indian Oil Corp (IOC) for liquefied petroleum gas (LPG), is found leaking data of millions of Aadhaar numbers of customers and information of dealers and distributors, finds a French researcher. 
     
    Baptiste Robert, who goes by the online Twitter handle Elliot Alderson and has exposed Aadhaar leaks in the past, wrote in a blog post on late-Monday that the Aadhaar data of nearly 6.7 million dealers and distributors of Indane, accessible only with a valid username and password, was left exposed.
     
    "Due to a lack of authentication in the local dealers portal, Indane is leaking the names, addresses and the Aadhaar numbers of their customers. Indane has 11062 dealers. Total number of affected customer is around 6,791,200," said Mr Alderson.
     
     
    Using a custom-built script to scrape the database, Mr Alderson found customer data for nearly 11,000 dealers, including names and addresses of customers, before his IP was blocked by Indane.
     
    "I wrote the python script. By running this script, it gives us 11,062 valid dealer IDs. After more than one day, my script tested 9,490 dealers and found that a total of 5,826,116 Indane customers are affected by this leak," he wrote.
     
     
    The French researchers found 5.8 million Indane customer records before his script was blocked.
     
    "Unfortunately, Indane probably blocked my IP, so I did not test the remaining 1,572 dealers. By doing some basic math we can estimate the final number of affected customers around 6,791,200," Mr Alderson added.
     
    According to Wikipedia, Indane serves more than 90 million families through a network of 9,100 distributors.
     
    UPDATE: At 2.48pm Tuesday, Indian Oil has denied reports of any data leak from Indane website. In a tweet, it says, "Indian Oil in its software captures only the Aadhaar number, which is required for LPG subsidy transfer. No other Aadhaar related details are captured by Indian Oil. Therefore, leakage of Aadhaar data is not possible through us."
     
    The Unique Identification Authority of India (UIDAI) has not yet commented on this data leak.
  • Like this story? Get our top stories by email.

    User

    Aadhaar: Maharashtra SET Starts Accepting Applications without the UID
    The Maharashtra State Eligibility Test (MH-SET) has allowed applicants to file their applications for the post of assistant professor without Aadhaar. Although, Aadhaar was not mandatory, as per the Supreme Court order, applicants were facing issues while submitting applications without the UID. 
     
    When Moneylife pointed this out to the Savitribai Phule Pune University, which is the state agency for SET, they made the necessary rectification on their website. 
     
    In an email reply, the state agency for SET says, "Since the National Testing Agency at New Delhi included Aadhaar number in the online application form for the University Grants Commission (UGC) - National Educational Tests (NET) conducted in December 2018, the Savitribai Phule Pune University state agency also thought of including Aadhaar number in the online application form. Now, the error problem has been solved and candidates can submit their online Application form without entering the Aadhaar Number."
     
    Some applicants confirmed that they were able to submit their application form without Aadhaar.
     
    The state agency is under the impression that Aadhaar helps establishing identity of an individual, enhances accuracy of the candidate's details, ascertains the identity of the candidate's details at the examination centre and helps obviate the need for producing multiple documents to prove one's identity. To this end, it was asking for the Aadhaar number in its online application form. 
     
     
    However, while the field for Aadhaar was not made mandatory, it was not allowing further processing of the form without the UID number. This was like making Aadhaar mandatory without explicitly saying so. It could have been done to avoid any backlash from the Supreme Court, which has barred use of Aadhaar, except for schemes for which the funding is derived from the Consolidated Fund of India.  
     
    The Supreme Court, in its judgement dated 26 September 2018, in Justice KS Puttaswamy vs Union of India (the Aadhaar judgement) in WP Civil No. 494 of 2012, explicitly prohibited the use of Aadhaar for entrance tests or by boards like CBSE (Central Board of Secondary Examination) and the UGC (University Grants Commission).
     
    "As far as subsidies, services and benefits are concerned, their scope is not to be unduly expanded thereby widening the net of Aadhaar, where it is not permitted otherwise. It would cover only those ‘benefits’, the expenditure thereof has to be drawn from the Consolidated Fund of India. On that basis, CBSE, NEET, JEE, and UGC cannot make the requirement of Aadhaar mandatory as they are outside the purview of Section 7 and are not backed by any law," the apex court had said.
     
     
    When we pointed out this ruling to the state agency, it made the necessary rectification allowing applicants to submit online applications without Aadhaar. 
     
    As several experts have been pointing out, Aadhaar does not establish anything. In fact, in response to a right to information (RTI) application, the Unique Identification Authority of India (UIDAI) itself had admitted that it does not certify the identity, address, date of birth, resident status or existence of any individual or any Aadhaar number. (Read: Unique ID is not Unique, does not certify anything, says UIDAI)
     
    The UGC has accredited the SET examinations being held by the University of Pune as the state agency for Maharashtra and Goa.
     
    A candidate who qualifies the SET becomes eligible for appointment as assistant professor in a university or affiliated college, provided he or she fulfils other academic qualifications prescribed for the post by the UGC.
  • Like this story? Get our top stories by email.

    User

    We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)
    FREE: Your Complete Family Record Book
    Keep all the Personal and Financial Details of You & Your Family. In One Place So That`s Its Easy for Anyone to Find Anytime
    We promise not to share your email id with anyone