Hours after a news report on January 4 exposed how the Aadhaar-related demographic data of more than one billion Indian residents had been leaked, the Unique Identification Authority of India, which manages the Aadhaar database, responded that the “mere display” of this information could not “be misused without biometrics”.
Aadhaar is a massive project by the Indian government to provide every resident with a 12-digit unique identity number attached to their biometric data.
However, cyber security experts and lawyers say that the Unique Identification Authority of India’s response was an “incompetent claim”, which indicated that the body was not treating the security breach with the seriousness it warranted.
These experts said that any breach of security of Aadhaar-related demographic data not only violates an individual’s right to privacy, which was upheld by the Supreme Court last year as a fundamental right protected under Article 21 of the Constitution, but also subjects them to threats ranging from financial fraud to the misuse of their identity.
The news report in The Tribune newspaper that exposed the security breach said that it took a reporter only Rs 500 and 10 minutes to access the entire Aadhaar database and its trove of demographic details – such as names, addresses, postal codes, phone numbers, photographs and e-mail addresses of people enrolled in the programme. The Unique Identification Authority of India went on to file a police complaint against the reporter for impersonation, cheating and forgery, among other charges, a move that the Editors Guild of India has condemned as an attack on press freedom.
Resource for criminals
Despite the Unique Identification Authority of India claim that individual security could not been compromised by unauthorised access of the sort reported by the Tribune, Pavan Duggal, a lawyer who specialises in cyber security, disagreed. “Demographic data is largely private data and there is a tremendous amount of risk associated with the unauthorised access of such data,” he said. “It is a goldmine for criminals, in both physical and virtual spaces, who can target any individual through such private data.”
Duggal added: “The availability of demographic data eventually leads to the violation of the right to privacy. It can also act as fodder for groups indulging in financial frauds.”
Kislay Chaudhary, a cyber security expert and consultant to police departments in several states, concurred.
Chaudhary explained that criminals usually initiate financial fraud via a tactic known as social engineering in which they attempt to manipulate people on the phone or online to reveal confidential information such as passwords or bank details. One of the forms social engineering takes is phishing, a process in which criminals phone their targets pretending to be credible persons like bank officials and get them to reveal confidential information. Another form of phishing is when criminals send their targets emails or text messages disguised to look like they are from a reliable source, but which include links to malicious websites designed to give the criminal access to the victim’s electronic devices and the security-related data they contain.
“If demographic information of such a massive scale has been exposed, imagine the sample size of data that such criminals can [now] use to evaluate the behaviour of their targets as part of the social engineering process,” said Chaudhary.
High accuracy, high crime
Vineet Kumar, president of Cyber Peace Foundation, an advisory group involved in the set up of a cyber security system in the Union Ministry of Women and Child Development, said that access to any kind of demographic data made life easier for criminals
“Demographic data acquired from the Aadhaar database will be significantly high in accuracy compared to the limited data which phishing rackets so far had access to,” he said. “Higher accuracy means higher success rate in executing such crimes.”
Kumar said that there has been a surge in spear phishing in which potential victims are specifically picked based on the information the criminal already has about them. This is a more targeted form of fraud than voice phishing in which criminals are usually working blind, without significant information about their potential victims. “If demographic data related to Aadhaar lands in the wrong hands, it can be a rich resource for spear phishing,” he said.
In the past few years, there have been several instances of phishing in which unsuspecting people have lost their money after criminals have phoned them on the pretext of updating their Aadhaar details. Often, people have fallen for these cons because the callers had inquired about details that seemed totally unrelated to monetary transactions.
“Here, we are talking about individuals who are not well aware in terms of digital literacy,” Kumar said. “There will always be higher probability for a targeted individual to be deceived if someone calls on the pretext of correcting some demographic information such as permanent address or date of birth, and then initiates a financial transaction by extracting a one-time password calling it some [kind of a] verification code.”
At a meeting on cyber security held in November, Union Home Minister Rajnath Singh had raised concerns about phone fraud, a term commonly used to refer to cases of voice phishing.
National Security matter
This could also hurt national security.
Kumar elaborated: “With such detailed demographic information, one can easily forge identification documents that can be used to procure SIM cards for nefarious activities or gain access to sensitive places such as airports and government offices, thus causing a threat to national security.”
Pavan Duggal criticised the Unique Identification Authority of India for its lackadaisical attitude towards data security. “It is an incompetent claim that demographic data cannot be misused without biometrics,” he said. “It is clear that the entire Aadhaar ecosystem, which deals with both demographic and biometric information, stands poor in terms of cyber security. Any agency that deals with such private data should ensure utmost care in handling information, which will never be possible without complying with information technology rules and stepping up cyber security related to the system.”