Identity Project

How secure is Aadhaar? Gang arrested in Uttar Pradesh cloned its enrolment software

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

The Unique Identity Development Authority of India has always insisted that its database, which holds the biometrics of around 1.17 billion Indian residents, has never been breached.

However, a different vulnerability for India’s controversial unique identity project, also known as Aadhaar, was revealed last week when the police busted a racket in Kanpur, Uttar Pradesh, whose operators had cloned the Aadhaar client application. According to the police, the gang sold this replica to people, which potentially allowed them to run unauthorised enrolment centres where illegitimate Aadhaar numbers could be generated. Aadhaar is the 12-digit biometrically linked unique identification number that the government wants every Indian resident to have

The gang may have been caught after a complaint by the Unique Identity Development Authority of India – with 10 people arrested – but cyber security experts say the incident should bring the focus back on the state of security of the entire Aadhaar ecosystem, which has been plagued with leaks.

The Aadhaar authority, however, continues to maintain that the gang’s operation did not affect its database and processing system.

Responding to the arrests, the Unique Identity Development Authority of India said in a statement on Tuesday that it had noticed an unusually high number of logins into the client application by a few authorised operators, after which it filed a complaint with the police on August 16. It said: “The attempt to generate fake Aadhaar cards was foiled by the robust UIDAI system and the arrested gang could not succeed in its nefarious and illegal designs.”

The police is yet to ascertain the gang’s scale of operations. For this, it will need to establish how many people the gang sold the replica application to. The police would also have to facilitate an enrolment audit, a task in which the Unique Identity Development Authority of India will have to determine which Aadhaar numbers were generated by unauthorised persons using the cloned app.

Elaborate operation

The Aadhaar client application is only provided to authorised enrolment centres. Its operators are required to log in through a biometric system in which their fingerprints are scanned to check if they are authorised.

The members of the gang allegedly made copies of the login details of registered operators, including their fingerprints, and gained unauthorised access to the application, the police said. The fingerprints were replicated with the help of butter paper, and treated with chemicals and ultraviolet rays at different temperatures to create a mould using gelatin gel and latex, it said.

A few months ago, the Aadhaar authority added another layer of security to the login process for enrolment operators, making iris recognition mandatory for them to access the client application, the police said.

“But by then it was too late,” said Triveni Singh, additional superintendent of police with the Uttar Pradesh police’s Special Task Force. “The gang had already created a replica of the client application in which they had bypassed both the fingerprint and iris recognition requirements, and had started selling copies of the replica for Rs 5,000 each to individuals.”

Individuals who purchased the cloned application could log into the system using the basic login details of registered enrolment operators, which the gang members shared with them. Because the application had been altered, the biometric requirements were no longer mandatory, the police said.

“We are yet to track down the individuals to whom the cloned client application was sold,” said Singh. “Only then we will be able to ascertain details of the illegitimate Aadhaar enrolments they had carried out,” he added.

(Photo credit: Wikimedia Commons).
(Photo credit: Wikimedia Commons).

Cyber security of the Aadhaar ecosystem

According to cyber security expert Pavan Duggal, the cloning racket is a wake-up call for the Unique Identity Development Authority of India. “It has exposed the inadequacy of the Aadhaar framework in terms of cyber security,” he said. “Fishing out unauthorised Aadhaar cards, if any, from the system will be a massive challenge. The incident definitely raises concerns about the cyber security of the Aadhaar ecosystem, which the Aadhaar Act is silent about.”

He said that when the Aadhaar Act was enacted in 2016 the government’s plans to link Aadhaar with bank accounts, permanent account numbers, mobile phone numbers and so on, were not in place. Now Aadhaar has become part of an ecosystem in cyber space and it remains unprotected, he said. “The law has to be amended to take care of that,” he added.

Leaked source code

But how was it possible to make a clone of the client application so easily?

“The gang members had access to the source code of the original Aadhaar client application,” Triveni Singh said. “They tampered with it slightly just to bypass the biometric requirements for the login. It looks like they were helped by someone who is an expert in software development. We also suspect the involvement of an UIDAI [Unique Identity Development Authority of India] insider.”

The source code is a set of computer instructions to build an application, written in a readable programming language.

According to cyber security expert Kislay Chaudhary, who works as a consultant with several government agencies, tampering with the source code of a website or application and creating a duplicate with little modifications is easy.

“The strength of any source code depends on the expertise of the software developers and web developers hired by an agency to design an application or website,” he said. “Many government agencies have websites that are literally copy-paste models, with their source codes almost entirely borrowed from others. They can be easily replicated.”

He added that the Kanpur cloning has clearly exposed the vulnerability of Aadhaar as far as cyber security is concerned, and that it was high time the Unique Identity Development Authority of India came out of its state of denial.

UIDAI’s statement

In its statement, besides claiming that its inbuilt safeguards were responsible for foiling the racket, the Unique Identification Authority of India drew attention to its efforts to put an end to malpractices. It said it conducts regular field investigations, and based on these investigations, operators and supervisors found involved in malpractices are blacklisted for up to five years, and even fined. It added that in the past nine months it has blacklisted around 49,000 operators for corrupt practices and fined 6,566 operators for overcharging to issue Aadhaar numbers.

We welcome your comments at
Sponsored Content BY 

Why should inclusion matter to companies?

It's not just about goodwill - inclusivity is a good business decision.

To reach a 50-50 workplace scenario, policies on diversity need to be paired with a culture of inclusiveness. While diversity brings equal representation in meetings, board rooms, promotions and recruitment, inclusivity helps give voice to the people who might otherwise be marginalized or excluded. Inclusion at workplace can be seen in an environment that values diverse opinions, encourages collaboration and invites people to share their ideas and perspectives. As Verna Myers, a renowned diversity advocate, puts it “Diversity is being invited to the party, inclusion is being asked to dance.”

Creating a sense of belonging for everyone is essential for a company’s success. Let’s look at some of the real benefits of a diverse and inclusive workplace:

Better decision making

A whitepaper by Cloverpop, a decision making tool, established a direct link between inclusive decision making and better business performance. The research discovered that teams that followed an inclusive decision-making process made decisions 2X faster with half the meetings and delivered 60% better results. As per Harvard Business School Professor Francesca Gino, this report highlights how diversity and inclusion are practical tools to improve decision making in companies. According to her, changing the composition of decision making teams to include different perspectives can help individuals overcome biases that affect their decisions.

Higher job satisfaction

Employee satisfaction is connected to a workplace environment that values individual ideas and creates a sense of belonging for everyone. A research by Accenture identified 40 factors that influence advancement in the workplace. An empowering work environment where employees have the freedom to be creative, innovative and themselves at work, was identified as a key driver in improving employee advancement to senior levels.


A research by stated the in India, 62% of innovation is driven by employee perceptions of inclusion. The study included responses from 1,500 employees from Australia, China, Germany, India, Mexico and the United States and showed that employees who feel included are more likely to go above and beyond the call of duty, suggest new and innovative ways of getting work done.

Competitive Advantage

Shirley Engelmeier, author of ‘Inclusion: The New Competitive Business Advantage’, in her interview with Forbes, talks about the new global business normal. She points out that the rapidly changing customer base with different tastes and preferences need to feel represented by brands. An inclusive environment will future-proof the organisation to cater to the new global consumer language and give it a competitive edge.

An inclusive workplace ensures that no individual is disregarded because of their gender, race, disability, age or other social and cultural factors. Accenture has been a leading voice in advocating equal workplace. Having won several accolades including a perfect score on the Human Rights Campaign’s Corporate equality index, Accenture has demonstrated inclusive and diverse practices not only within its organisation but also in business relationships through their Supplier Inclusion and Diversity program.

In a video titled ‘She rises’, Accenture captures the importance of implementing diverse policies and creating an inclusive workplace culture.


To know more about inclusion and diversity, see here.

This article was produced by the Scroll marketing team on behalf of Accenture and not by the Scroll editorial team.